CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: Unsafe deserializer

Description: Calling an unsafe deserializer with data controlled by an attacker can lead to denial of service and other security problems.

ID: cs/unsafe-deserialization

Kind: problem

Severity: warning

Precision: low

Query: UnsafeDeserialization.ql
/**
 * @name Unsafe deserializer
 * @description Calling an unsafe deserializer with data controlled by an attacker
 *              can lead to denial of service and other security problems.
 * @kind problem
 * @id cs/unsafe-deserialization
 * @problem.severity warning
 * @precision low
 * @tags security
 *       external/cwe/cwe-502
 */

import csharp
import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization

from Call deserializeCall, Sink sink
where deserializeCall.getAnArgument() = sink.asExpr()
select deserializeCall,
  "Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source."

Deserializing an object from untrusted input may result in security problems, such as denial of service or remote code execution.

Recommendation

Avoid using an unsafe deserialization framework.

Example

In this example, a string is deserialized using a JavaScriptSerializer with a simple type resolver. Using a type resolver means that arbitrary code may be executed.

using System.Web.Script.Serialization;

class Bad
{
    public static object Deserialize(string s)
    {
        JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
        // BAD
        return sr.DeserializeObject(s);
    }
}

To fix this specific vulnerability, we avoid using a type resolver. In other cases, it may be necessary to use a different deserialization framework.

using System.Web.Script.Serialization;

class Good
{
    public static object Deserialize(string s)
    {
        // GOOD
        JavaScriptSerializer sr = new JavaScriptSerializer();
        return sr.DeserializeObject(s);
    }
}

References