contrib.nodejsscan.eval_yaml_deserialize.yaml_deserialize

returntocorp

Author

Download Count*

GPLv3

License

User controlled data in 'yaml.load()' function can result in Remote Code Injection.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: yaml_deserialize
    patterns:
      - pattern-inside: |
          require('js-yaml');
          ...
      - pattern: |
          $X.load(...)
    message: User controlled data in 'yaml.load()' function can result in Remote
      Code Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp: A08:2017 - Insecure Deserialization
      cwe: "CWE-502: Deserialization of Untrusted Data"
      category: security
      technology:
        - node.js
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

eval_yaml_deserialize.js

var untrusted_code = '"toString": !<tag:yaml.org,2002:js/function> "function (){very_evil_thing();}"';
var notneeded = 1;
// I'm just converting that string, what could possibly go wrong?
// ruleid:yaml_deserialize
require('js-yaml').load(untrusted_code) + ''

var yaml = require('js-yaml')

const yaml2 = require('js-yaml')

// ruleid:yaml_deserialize
yaml.load(untrusted_code)
// ruleid:yaml_deserialize
yaml2.load(untrusted_code)

Short Link: https://sg.run/W8Pj