php.lang.security.unserialize-use.unserialize-use
semgrepAuthor
unknown
Download Count*
License
Calling unserialize() with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).
Run Locally
Run in CI
Defintion
rules:
- id: unserialize-use
patterns:
- pattern: unserialize(...)
- pattern-not: unserialize("...",...)
message: Calling `unserialize()` with user input in the pattern can lead to
arbitrary code execution. Consider using JSON or structured data
approaches (e.g. Google Protocol Buffers).
metadata:
references:
- https://www.php.net/manual/en/function.unserialize.php
- https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html
category: security
technology:
- php
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-502: Deserialization of Untrusted Data"
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
languages:
- php
severity: WARNING
Examples
unserialize-use.php
<?php
$data = $_GET["data"];
// ruleid: unserialize-use
$object = unserialize($data);
// ok: unserialize-use
$object2 = unserialize('O:1:"a":1:{s:5:"value";s:3:"100";}');
Short Link: https://sg.run/b24E