clojure.security.clojure-read-string.read-string-unsafe.read-string-unsafe
semgrep
Author
unknown
Download Count*
License
The default core Clojure read-string method is dangerous and can lead to deserialization vulnerabilities. Use the edn/read-string instead.
Run Locally
Run in CI
Defintion
rules:
- id: read-string-unsafe
metadata:
author: Gabriel Marquet <gab.marquet@gmail.com>
category: security
confidence: LOW
references:
- http://www.learningclojure.com/2013/02/clojures-reader-is-unsafe.html#post-body-2898830171141471587
- https://ericnormand.me/article/clojure-web-security
- https://github.com/jafingerhut/jafingerhut.github.com/blob/master/clojure-info/using-edn-safely.md#vulnerabilities-in-clojurecores-read-and-read-string
source-rule-url: https://github.com/clj-holmes/clj-holmes-rules/tree/main/security/clojure-read-string
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-502: Deserialization of Untrusted Data"
likelihood: MEDIUM
impact: HIGH
subcategory:
- audit
cwe2022-top25: true
cwe2021-top25: true
cwe2020-top25: true
technology:
- clojure
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
patterns:
- pattern-not-inside: |
(ns ...
(... :exclude [read read-string]))
...
(defn $VAR [$X]...)
- pattern-inside: |
(defn $VAR [$X]...)
- pattern: |
(read-string $X)
message: The default core Clojure read-string method is dangerous and can lead
to deserialization vulnerabilities. Use the edn/read-string instead.
languages:
- clojure
severity: ERROR
Examples
read-string-unsafe.clj
(ns clojure-read-string-not-vulnerable
(:refer-clojure :exclude [read read-string]))
(defn read-string [^"[B" v]
(String. v))
(defn not-vulnerable [x]
// ok: read-string-unsafe
(read-string x))
(ns clojure-read-string
(:require [clojure.edn :as edn]))
(defn vulnerable [x]
// ruleid: read-string-unsafe
(read-string x))
(defn not-vulnerable [x]
(edn/read-string x))
Short Link: https://sg.run/NPop