mobsf.mobsfscan.object_deserialization.object_deserialization

MobSF

Author

505

Download Count*

License

Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. Consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: object_deserialization
    patterns:
      - pattern: new ObjectInputStream(...);
    severity: WARNING
    languages:
      - java
    message: >
      Found object deserialization using ObjectInputStream. Deserializing entire
      Java objects is dangerous because malicious actors can create Java object
      streams with unintended consequences. Ensure that the objects being
      deserialized are not user-controlled. Consider using HMACs to sign the
      data stream to make sure it is not tampered with, or consider
      only  transmitting object fields and populating a new object.
    metadata:
      cwe: cwe-502
      owasp-mobile: m1
      masvs: platform-8
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-object-persistence-mstg-platform-8
      license: LGPL-3.0-or-later

Short Link: https://sg.run/7GZW