DEV Community

Cover image for Code Smell 215 - Deserializing Object Vulnerability
Maxi Contieri
Maxi Contieri

Posted on • Originally published at maximilianocontieri.com

1

Code Smell 215 - Deserializing Object Vulnerability

Metaprogramming is always a problem

TL;DR: Don't allow remote code execution

Problems

  • Security

Solutions

  1. Validate and sanitize input

  2. Avoid executing code. Input only data

  3. Apply sandboxing or isolation

Context

Deserializing objects from an untrusted source is indeed a security-sensitive operation.

Suppose you have a web application that accepts serialized objects as input from user-submitted data, such as in an API endpoint or a file upload feature.

The application deserializes these objects to reconstruct them into usable objects within the system.

If an attacker submits maliciously crafted serialized data to exploit vulnerabilities in the deserialization process.

They might manipulate the serialized data to execute arbitrary code, escalate privileges, or perform unauthorized actions within the application or the underlying system.

This type of attack is commonly known as "deserialization attacks" or "serialization vulnerabilities."

Sample Code

Wrong

import pickle  # Python's serialization module

def process_serialized_data(serialized_data):
    try:
        obj = pickle.loads(serialized_data)  
        # Deserialize the object
        # Process the deserialized object
        # ...

# User-submitted serialized data
user_data = b"\x80\x04\x95\x13\x00\x00\x00\x00\x00\x00\x00\x8c\x08os\nsystem\n\x8c\x06uptime\n\x86\x94."
# This code executes os.system("uptime") 

process_serialized_data(user_data)

Enter fullscreen mode Exit fullscreen mode

Right

import json

def process_serialized_data(serialized_data):
    try:
        obj = json.loads(serialized_data)  
        # Deserialize the JSON object
        # Does not execute code
        # ...

user_data = '{"key": "value"}'

process_serialized_data(user_data)

Enter fullscreen mode Exit fullscreen mode

Detection

[X] Semi-Automatic

Several linters warn about deserialization points.

Tags

  • Security

Conclusion

Metaprogramming opens doors to abusers.

Relations

More Info

Sonar Source

Disclaimer

Code Smells are my opinion.

Credits

Photo by Towfiqu barbhuiya on Unsplash


Whenever possible, steal code.

Tom Duff


This article is part of the CodeSmell Series.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay