csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization
semgrep
Author
5,563
Download Count*
License
$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe
Run Locally
Run in CI
Defintion
rules:
- id: insecure-fastjson-deserialization
severity: WARNING
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://github.com/mgholam/fastJSON#security-warning-update
category: security
technology:
- .net
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: $type extension has the potential to be unsafe, so use it with common
sense and known json sources and not public facing ones to be safe
patterns:
- pattern-inside: |
using fastJSON;
...
- pattern: |
new JSONParameters
{
BadListTypeChecking = false
}
Examples
fast-json.cs
using fastJSON;
namespace InsecureDeserialization
{
public class InsecureFastJSONDeserialization
{
public void FastJSONDeserialization(string json)
{
try
{
// ruleid: insecure-fastjson-deserialization
var obj = JSON.ToObject(json, new JSONParameters { BadListTypeChecking = false });
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
}
Short Link: https://sg.run/nqnd