ajinabraham.njsscan.eval.eval_deserialize.serializetojs_deserialize

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

Run Locally

Run in CI

Defintion

rules:
  - id: serializetojs_deserialize
    patterns:
      - pattern-inside: |
          require('serialize-to-js')
          ...
      - pattern: |
          $X.deserialize(...)
    message: User controlled data in 'unserialize()' or 'deserialize()' function can
      result in Object Injection or Remote Code Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a8
      cwe: cwe-502
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other