CodeQL documentation

Deserialization of user-controlled data

ID: js/unsafe-deserialization
Kind: path-problem
Security severity: 9.8
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-502
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.

Recommendation

Avoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.

Example

The following example calls the load function of the popular js-yaml package on data that comes from an HTTP request and hence is inherently unsafe.

const app = require("express")(),
  jsyaml = require("js-yaml");

app.get("load", function(req, res) {
  let data = jsyaml.load(req.params.data);
  // ...
});

Using the safeLoad function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.

const app = require("express")(),
  jsyaml = require("js-yaml");

app.get("load", function(req, res) {
  let data = jsyaml.safeLoad(req.params.data);
  // ...
});

References

  • © GitHub, Inc.
  • Terms
  • Privacy