csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization

profile photo of returntocorpreturntocorp
Author
5,563
Download Count*

$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-fastjson-deserialization
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://github.com/mgholam/fastJSON#security-warning-update
      category: security
      technology:
        - .net
      confidence: LOW
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: $type extension has the potential to be unsafe, so use it with common
      sense and known json sources and not public facing ones to be safe
    patterns:
      - pattern-inside: |
          using fastJSON;
          ...
      - pattern: |
          new JSONParameters
          {
            BadListTypeChecking = false
          }

Examples

fast-json.cs

using fastJSON;

namespace InsecureDeserialization
{
    public class InsecureFastJSONDeserialization
    {
        public void FastJSONDeserialization(string json)
        {
            try
            {
                // ruleid: insecure-fastjson-deserialization
                var obj = JSON.ToObject(json, new JSONParameters { BadListTypeChecking = false });
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
    }
}