contrib.nodejsscan.eval_deserialize.node_deserialize

profile photo of returntocorpreturntocorp
Author
99
Download Count*
GPLv3
License

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: node_deserialize
    patterns:
      - pattern-inside: |
          require('node-serialize');
          ...
      - pattern: |
          $X.unserialize(...)
    message: User controlled data in 'unserialize()' or 'deserialize()' function can
      result in Object Injection or Remote Code Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A08:2017 - Insecure Deserialization
      cwe: "CWE-502: Deserialization of Untrusted Data"
      category: security
      technology:
        - node.js
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

eval_deserialize.js

var express = require('express');
var cookieParser = require('cookie-parser');
var escape = require('escape-html');
var serialize = require('node-serialize');
const serialize2 = require('serialize-to-js')


var app = express();
app.use(cookieParser())

app.get('/', function (req, res) {
    if (req.cookies.profile) {
        var str = new Buffer(req.cookies.profile, 'base64').toString();
        // ruleid:node_deserialize
        var obj = serialize.unserialize(str);
        // ruleid:serializetojs_deserialize
        serialize2.deserialize(str);
        if (obj.username) {
            res.send("Hello " + escape(obj.username));
        }
    } else {
        res.cookie('profile', "eyJ1c2VybmFtZSI6ImFqaW4iLCJjb3VudHJ5IjoiaW5kaWEiLCJjaXR5IjoiYmFuZ2Fsb3JlIn0=", {
            maxAge: 900000,
            httpOnly: true
        });
    }
    res.send("Hello World");
});
app.listen(3000);
// ruleid:serializetojs_deserialize
require('serialize-to-js').deserialize(str);