Unsanitized user input in deserialization method

• Rule ID: javascript_express_unsafe_deserialization
• Languages: javascript
• Source: unsafe_deserialization.yml

Description

Deserializing untrusted data exposes your application to security risks. This vulnerability occurs when data, especially from external sources like request objects, is deserialized without proper sanitization. Attackers can embed malicious code or payloads in serialized data, compromising your application's security upon deserialization.

Remediations

• Do not deserialize data from untrusted sources directly. This practice can lead to security vulnerabilities by executing malicious code embedded in the data.
• Do use data-only and language-agnostic serialization formats such as JSON or XML for deserializing data. These formats are less susceptible to manipulation by attackers aiming to exploit the deserialization process.

  JSON.parse(req.params);

References

• OWASP Deserialization cheat sheet

Associated CWE

• CWE-502: Deserialization of Untrusted Data

OWASP Top 10

• A08:2021 - Software and Data Integrity Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_unsafe_deserialization

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_unsafe_deserialization