python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle

profile photo of semgrepsemgrep
Author
1,200
Download Count*

Avoid using jsonpickle, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using json module.

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-jsonpickle
    patterns:
      - pattern: |
          jsonpickle.decode($PAYLOAD,...)
      - pattern-not: |
          jsonpickle.decode("...",...)
    metadata:
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      references:
        - https://github.com/jsonpickle/jsonpickle#jsonpickle
        - https://www.exploit-db.com/exploits/49585
      category: security
      technology:
        - jsonpickle
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    message: Avoid using `jsonpickle`, which is known to lead to code execution
      vulnerabilities. When unpickling, the serialized data could be manipulated
      to run arbitrary code. Instead, consider serializing the relevant data
      using `json` module.
    languages:
      - python
    severity: WARNING

Examples

avoid-jsonpickle.py

import jsonpickle

def run_payload(payload: str) -> None:
    # ruleid: avoid-jsonpickle
    obj = jsonpickle.decode(payload)

def ok():
    # ok: avoid-jsonpickle
    obj = jsonpickle.decode('foobar')