JavaScript

JavaScript

Made by DeepSource

Found potentially unsafe deserialization JS-S1000

Security
Critical
a08 cwe-502 owasp top 10

Unsafe deserialization can be vulnerable to many attacks such as denial-of-service, access control, and remote code execution (RCE). Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.

This can result in two primary types of attacks:

  • Object and data structure-related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization.
  • Typical data tampering attacks such as access-control-related attacks where existing data structures are used but the content is changed.

It is recommended to avoid using deserialization. To prevent using deserialization, it is always better not to accept serialized data from untrusted sources or to use serialization mediums that only permit primitive data types.

As mentioned, avoiding accepting serialized data from untrusted sources is the first option to prevent the based deserialization. If that is not possible, consider one or more of the following:

  • Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.
  • Enforcing strict type constraints during deserialization before object creation as the code typically expects a definable set of classes. Bypasses to this technique have been demonstrated, so reliance solely on this is not advisable.
  • Isolating and running code that deserializes in low privilege environments when possible.
  • Log deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions.
  • Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
  • Monitoring deserialization, alerting if a user deserializes constantly.
  • Use the built-in JSON.parse() function when deserializing JSON strings.

This issue is raised when: 1. unserialize method of node-serialize is used 2. parse method of teleport-javascript is used

Bad Practice

const serialize = require('node-serialize')
let content = serialize.unserialize(someObject)

const { parse } = require('teleport-javascript')
const parsed = parse(stringified)

Recommended

const parsed = JSON.parse(stringified)

References