CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: Deserialization of untrusted data

Description: Calling an unsafe deserializer with data controlled by an attacker can lead to denial of service and other security problems.

ID: cs/unsafe-deserialization-untrusted-input

Kind: path-problem

Severity: error

Precision: high

Query: UnsafeDeserializationUntrustedInput.ql
/**
 * @name Deserialization of untrusted data
 * @description Calling an unsafe deserializer with data controlled by an attacker
 *              can lead to denial of service and other security problems.
 * @kind path-problem
 * @id cs/unsafe-deserialization-untrusted-input
 * @problem.severity error
 * @precision high
 * @tags security
 *       external/cwe/cwe-502
 */

import csharp
import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
import DataFlow::PathGraph

from TaintTrackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to unsafe deserializer.", source.getNode(),
  "User-provided data"

Deserializing an object from untrusted input may result in security problems, such as denial of service or remote code execution.

Recommendation

Avoid deserializing objects from an untrusted source, and if not possible, make sure to use a safe deserialization framework.

Example

In this example, text from an HTML text box is deserialized using a JavaScriptSerializer with a simple type resolver. Using a type resolver means that arbitrary code may be executed.

using System.Web.UI.WebControls;
using System.Web.Script.Serialization;

class Bad
{
    public static object Deserialize(TextBox textBox)
    {
        JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
        // BAD
        return sr.DeserializeObject(textBox.Text);
    }
}

To fix this specific vulnerability, we avoid using a type resolver. In other cases, it may be necessary to use a different deserialization framework.

using System.Web.UI.WebControls;
using System.Web.Script.Serialization;

class Good
{
    public static object Deserialize(TextBox textBox)
    {
        JavaScriptSerializer sr = new JavaScriptSerializer();
        // GOOD
        return sr.DeserializeObject(textBox.Text);
    }
}

References