|
| 1 | +<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> |
| 2 | +<qhelp> |
| 3 | + |
| 4 | +<overview> |
| 5 | +<p> |
| 6 | +Deserializing untrusted data using any deserialization framework that |
| 7 | +allows the construction of arbitrary serializable objects is easily exploitable |
| 8 | +and in many cases allows an attacker to execute arbitrary code. Even before a |
| 9 | +deserialized object is returned to the caller of a deserialization method a lot |
| 10 | +of code may have been executed, including static initializers, constructors, |
| 11 | +and finalizers. Automatic deserialization of fields means that an attacker may |
| 12 | +craft a nested combination of objects on which the executed initialization code |
| 13 | +may have unforeseen effects, such as the execution of arbitrary code. |
| 14 | +</p> |
| 15 | +<p> |
| 16 | +There are many different serialization frameworks. This query currently |
| 17 | +supports Pickle, Marshal and Yaml. |
| 18 | +</p> |
| 19 | +</overview> |
| 20 | + |
| 21 | +<recommendation> |
| 22 | +<p> |
| 23 | +Avoid deserialization of untrusted data if at all possible. If the |
| 24 | +architecture permits it then use other formats instead of serialized objects, |
| 25 | +for example JSON. |
| 26 | +</p> |
| 27 | +</recommendation> |
| 28 | + |
| 29 | +<example> |
| 30 | +<p> |
| 31 | +The following example calls <code>pickle.loads</code> directly on a |
| 32 | +value provided by an incoming HTTP request. Pickle then creates a new value from untrusted data, and is |
| 33 | +therefore inherently unsafe. |
| 34 | +</p> |
| 35 | +<sample src="UnpicklingBad.py" /> |
| 36 | + |
| 37 | +<p> |
| 38 | +Changing the code to use <code>json.loads</code> instead of <code>pickle.loads</code> removes the vulnerability. |
| 39 | +</p> |
| 40 | +<sample src="JsonGood.py" /> |
| 41 | + |
| 42 | +</example> |
| 43 | + |
| 44 | +<references> |
| 45 | + |
| 46 | +<li> |
| 47 | +OWASP vulnerability description: |
| 48 | +<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>. |
| 49 | +</li> |
| 50 | +<li> |
| 51 | +OWASP guidance on deserializing objects: |
| 52 | +<a href="https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html">Deserialization Cheat Sheet</a>. |
| 53 | +</li> |
| 54 | +<li> |
| 55 | +Talks by Chris Frohoff & Gabriel Lawrence: |
| 56 | +<a href="http://frohoff.github.io/appseccali-marshalling-pickles/"> |
| 57 | +AppSecCali 2015: Marshalling Pickles - how deserializing objects will ruin your day</a> |
| 58 | +</li> |
| 59 | +</references> |
| 60 | + |
| 61 | +</qhelp> |
0 commit comments