Movatterモバイル変換

[0]ホーム
URL:

CodeQL documentation
CodeQL resources

Deserialization of user-controlled data

ID: py/unsafe-deserializationKind: path-problemSecurity severity: 9.8Severity: errorPrecision: highTags:   - external/cwe/cwe-502   - security   - serializationQuery suites:   - python-code-scanning.qls   - python-security-extended.qls   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.

There are many different serialization frameworks. This query currently supports Pickle, Marshal and Yaml.

Recommendation

Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON.

If you need to use YAML, use theyaml.safe_load function.

Example

The following example callspickle.loads directly on a value provided by an incoming HTTP request. Pickle then creates a new value from untrusted data, and is therefore inherently unsafe.

fromdjango.conf.urlsimporturlimportpickledefunsafe(pickled):returnpickle.loads(pickled)urlpatterns=[url(r'^(?P<object>.*)$',unsafe)]

Changing the code to usejson.loads instead ofpickle.loads removes the vulnerability.

fromdjango.conf.urlsimporturlimportjsondefsafe(pickled):returnjson.loads(pickled)urlpatterns=[url(r'^(?P<object>.*)$',safe)]

References

[8]ページ先頭
©2009-2025 Movatter.jp