ajinabraham.njsscan.eval_deserialize.serializetojs_deserialize

rules:
  - id: serializetojs_deserialize
    patterns:
      - pattern-inside: |
          require('serialize-to-js')
          ...
      - pattern: |
          $X.deserialize(...)
    message: User controlled data in 'unserialize()' or 'deserialize()' function can
      result in Object Injection or Remote Code Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a8
      cwe: cwe-502
      license: LGPL-3.0-or-later