java.lang.security.audit.object-deserialization.object-deserialization

Community Favorite
profile photo of semgrepsemgrep
Author
73,396
Download Count*
LGPL Commons Clause
License

Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: object-deserialization
    metadata:
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION
      references:
        - https://www.owasp.org/index.php/Deserialization_of_untrusted_data
        - https://www.oracle.com/java/technologies/javase/seccodeguide.html#8
      category: security
      technology:
        - java
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    message: Found object deserialization using ObjectInputStream. Deserializing
      entire Java objects is dangerous because malicious actors can create Java
      object streams with unintended consequences. Ensure that the objects being
      deserialized are not user-controlled. If this must be done, consider using
      HMACs to sign the data stream to make sure it is not tampered with, or
      consider only transmitting object fields and populating a new object.
    severity: WARNING
    languages:
      - java
    pattern: new ObjectInputStream(...);

Examples

object-deserialization.java

package deserialize;

import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.IOException;
import java.lang.ClassNotFoundException;

import com.biz.org.UserData;

public class Cls
{
    public UserData deserializeObject(InputStream receivedFile) throws IOException, ClassNotFoundException {
        // ruleid:object-deserialization
        ObjectInputStream in = new ObjectInputStream(receivedFile);
        return (UserData) in.readObject();
    }

    public UserData deserializeObject(InputStream receivedFile) throws IOException, ClassNotFoundException {
        // ruleid:object-deserialization 
        try (ObjectInputStream in = new ObjectInputStream(receivedFile)) {
            return (UserData) in.readObject();
        } catch (IOException e) {
            throw e;
        }
    }
}