csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization
semgrep
Author
5,563
Download Count*
License
The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-fspickler-deserialization
severity: WARNING
languages:
- C#
metadata:
cwe:
- "CWE-502: Deserialization of Untrusted Data"
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution
category: security
technology:
- .net
confidence: MEDIUM
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
message: The FsPickler is dangerous and is not recommended for data processing.
Default configuration tend to insecure deserialization vulnerability.
patterns:
- pattern-inside: |
using MBrace.FsPickler.Json;
...
- pattern: |
FsPickler.CreateJsonSerializer();
Examples
fs-pickler.cs
using MBrace.FsPickler.Json;
namespace InsecureDeserialization
{
public class InsecureFsPicklerDeserialization
{
public void FsPicklerDeserialization(string json)
{
try
{
// ruleid: insecure-fspickler-deserialization
var fsPickler = FsPickler.CreateJsonSerializer();
MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(json));
fsPickler.Deserialize<object>(memoryStream);
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
}
Short Link: https://sg.run/E5e5