Deserializing untrusted input¶
ID: py/unsafe-deserialization Kind: path-problem Severity: error Precision: high Tags: - external/cwe/cwe-502 - security - serialization Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary serializable objects is easily exploitable and in many cases allows an attacker to execute arbitrary code. Even before a deserialized object is returned to the caller of a deserialization method a lot of code may have been executed, including static initializers, constructors, and finalizers. Automatic deserialization of fields means that an attacker may craft a nested combination of objects on which the executed initialization code may have unforeseen effects, such as the execution of arbitrary code.
There are many different serialization frameworks. This query currently supports Pickle, Marshal and Yaml.
Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON.
If you need to use YAML, use the
The following example calls
pickle.loads directly on a value provided by an incoming HTTP request. Pickle then creates a new value from untrusted data, and is therefore inherently unsafe.
from django.conf.urls import url import pickle def unsafe(pickled): return pickle.loads(pickled) urlpatterns = [ url(r'^(?P<object>.*)$', unsafe) ]
Changing the code to use
json.loads instead of
pickle.loads removes the vulnerability.
from django.conf.urls import url import json def safe(pickled): return json.loads(pickled) urlpatterns = [ url(r'^(?P<object>.*)$', safe) ]
OWASP vulnerability description: Deserialization of untrusted data.
OWASP guidance on deserializing objects: Deserialization Cheat Sheet.
Talks by Chris Frohoff & Gabriel Lawrence: AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day
Common Weakness Enumeration: CWE-502.