Deserialization of user-controlled data¶
ID: js/unsafe-deserialization
Kind: path-problem
Security severity: 9.8
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-502
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.
Recommendation¶
Avoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.
Example¶
The following example calls the load function of the popular js-yaml package on data that comes from an HTTP request and hence is inherently unsafe.
const app = require("express")(),
jsyaml = require("js-yaml");
app.get("load", function(req, res) {
let data = jsyaml.load(req.params.data);
// ...
});
Using the safeLoad function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.
const app = require("express")(),
jsyaml = require("js-yaml");
app.get("load", function(req, res) {
let data = jsyaml.safeLoad(req.params.data);
// ...
});
References¶
OWASP vulnerability description: Deserialization of untrusted data.
OWASP guidance on deserializing objects: Deserialization Cheat Sheet.
Neal Poole: Code Execution via YAML in JS-YAML Node.js Module.
Common Weakness Enumeration: CWE-502.