csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization

profile photo of returntocorpreturntocorp
Author
5,563
Download Count*

The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-fspickler-deserialization
    severity: WARNING
    languages:
      - C#
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution
      category: security
      technology:
        - .net
      confidence: MEDIUM
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: The FsPickler is dangerous and is not recommended for data processing.
      Default configuration tend to insecure deserialization vulnerability.
    patterns:
      - pattern-inside: |
          using MBrace.FsPickler.Json;
          ...
      - pattern: |
          FsPickler.CreateJsonSerializer();

Examples

fs-pickler.cs

using MBrace.FsPickler.Json;

namespace InsecureDeserialization
{
    public class InsecureFsPicklerDeserialization
    {
        public void FsPicklerDeserialization(string json)
        {
            try
            {
                // ruleid: insecure-fspickler-deserialization
                var fsPickler = FsPickler.CreateJsonSerializer();
                MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(json));
                fsPickler.Deserialize<object>(memoryStream);
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
    }
}