mobsf.mobsfscan.deserialization.jackson_deserialization.jackson_deserialization

MobSF

Author

unknown

Download Count*

License

The app uses jackson deserialization library. Deserialization of untrusted input can result in arbitrary code execution. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: jackson_deserialization
    patterns:
      - pattern-either:
          - pattern: |
              import com.fasterxml.jackson.databind.ObjectMapper;
              ...
              $Z.enableDefaultTyping();
    message: The app uses jackson deserialization library. Deserialization of
      untrusted input can result in arbitrary code execution. Consider using
      HMACs to sign the data stream to make sure it is not tampered with, or
      consider only  transmitting object fields and populating a new object.
    languages:
      - java
    severity: ERROR
    metadata:
      cwe: cwe-502
      owasp-mobile: m1
      masvs: platform-8
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-object-persistence-mstg-platform-8
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other

Short Link: https://sg.run/gPzJ