ajinabraham.njsscan.eval_deserialize.node_deserialize

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
License

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

Run Locally

Run in CI

Defintion

rules:
  - id: node_deserialize
    patterns:
      - pattern-inside: |
          require('node-serialize')
          ...
      - pattern: |
          $X.unserialize(...)
    message: User controlled data in 'unserialize()' or 'deserialize()' function can
      result in Object Injection or Remote Code Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a8
      cwe: cwe-502
      license: LGPL-3.0-or-later