Unsanitized user input in deserialization method
- Rule ID: javascript_lang_unsafe_deserialization
- Languages: javascript
- Source: unsafe_deserialization.yml
Description
Deserializing untrusted data is a risky practice. This vulnerability arises when data, especially from external sources like request objects, is deserialized without proper sanitization. Attackers can embed malicious payloads within serialized data, compromising your application's security upon deserialization.
Remediations
- Do not deserialize data that comes directly from untrusted sources. This prevents attackers from injecting malicious payloads that could compromise your application.
- Do opt for data-only and language-neutral serialization formats like JSON or XML for deserializing data. These formats are less susceptible to manipulation by attackers aiming to exploit the deserialization process.
JSON.parse(req.params);
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_lang_unsafe_deserializationTo run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_lang_unsafe_deserialization