Deserialization of user-controlled data¶
ID: js/unsafe-deserialization Kind: path-problem Security severity: 9.8 Severity: warning Precision: high Tags: - security - external/cwe/cwe-502 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
Deserializing untrusted data using any deserialization framework that allows the construction of arbitrary functions is easily exploitable and, in many cases, allows an attacker to execute arbitrary code.
Recommendation¶
Avoid deserialization of untrusted data if at all possible. If the architecture permits it, then use formats like JSON or XML that cannot represent functions. When using YAML or other formats that support the serialization and deserialization of functions, ensure that the parser is configured to disable deserialization of arbitrary functions.
Example¶
The following example calls the load function of the popular js-yaml package on data that comes from an HTTP request and hence is inherently unsafe.
constapp=require("express")(),jsyaml=require("js-yaml");app.get("load",function(req,res){letdata=jsyaml.load(req.params.data);// ...});Using the safeLoad function instead (which does not deserialize YAML-encoded functions) removes the vulnerability.
constapp=require("express")(),jsyaml=require("js-yaml");app.get("load",function(req,res){letdata=jsyaml.safeLoad(req.params.data);// ...});References¶
OWASP vulnerability description: Deserialization of untrusted data.
OWASP guidance on deserializing objects: Deserialization Cheat Sheet.
Neal Poole: Code Execution via YAML in JS-YAML Node.js Module.
Common Weakness Enumeration: CWE-502.
