gitlab.security_code_scan.SCS0028-1

unknown
Download Count*
MIT
License

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: security_code_scan.SCS0028-1
    patterns:
      - pattern-not: $OBJ.Deserialize("...")
      - pattern-not: $OBJ.UnsafeDeserialize("...")
      - pattern-not: $OBJ.UnsafeDeserializeMethodResponse("...")
      - pattern-not: $OBJ.ReadObject("...")
      - pattern-not: $OBJ.DeserializeFromString("...")
      - pattern-not: $OBJ.DeserializeFromReader("...")
      - pattern-not: $OBJ.DeserializeFromStream("...")
      - pattern-not: $OBJ.DeserializeRequest("...")
      - pattern-not: $OBJ.ToObject("...")
      - pattern-not: $OBJ.DeserializeResponse("...")
      - pattern-not: new System.Runtime.Serialization.DataContractSerializer("...")
      - pattern-not: new System.Runtime.Serialization.Json.DataContractJsonSerializer("...")
      - pattern-not: new System.Xml.Serialization.XmlSerializer("...")
      - pattern-not: new System.Resources.ResourceReader("...")
      - pattern-not: (System.Messaging.XmlMessageFormatter $E).Read("...")
      - pattern-not: (System.Messaging.BinaryMessageFormatter $E).Read("...")
      - pattern-either:
          - pattern: $OBJ.Deserialize(...)
          - pattern: $OBJ.UnsafeDeserialize(...)
          - pattern: $OBJ.UnsafeDeserializeMethodResponse(...)
          - pattern: $OBJ.ReadObject(...)
          - pattern: $OBJ.DeserializeFromString(...)
          - pattern: $OBJ.DeserializeFromReader(...)
          - pattern: $OBJ.DeserializeFromStream(...)
          - pattern: $OBJ.DeserializeRequest(...)
          - pattern: $OBJ.ToObject(...)
          - pattern: $OBJ.DeserializeResponse(...)
          - pattern: new System.Runtime.Serialization.DataContractSerializer(...)
          - pattern: new System.Runtime.Serialization.Json.DataContractJsonSerializer(...)
          - pattern: new System.Xml.Serialization.XmlSerializer(...)
          - pattern: new System.Resources.ResourceReader(...)
          - pattern: (System.Messaging.XmlMessageFormatter $E).Read(...)
          - pattern: (System.Messaging.BinaryMessageFormatter $E).Read(...)
    languages:
      - csharp
    message: >
      The application deserializes untrusted data without sufficiently verifying
      that

      the resulting data will be valid.
    metadata:
      category: security
      cwe: "CWE-502: Deserialization of Untrusted Data"
      license: MIT
    severity: WARNING