Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate vulnerability: Deserialization of untrusted data #1142

Open
SGeeversAtVortech opened this issue Jan 30, 2024 · 1 comment
Open

Investigate vulnerability: Deserialization of untrusted data #1142

SGeeversAtVortech opened this issue Jan 30, 2024 · 1 comment

Comments

@SGeeversAtVortech
Copy link
Contributor

In GitLab by @bentvelsen on Jan 30, 2024, 11:47

Issue created from vulnerability 78355387

Description:

The application was found using pickle which is vulnerable to deserialization attacks.
Deserialization attacks exploit the process of reading serialized data and turning it back
into an object. By constructing malicious objects and serializing them, an adversary may
attempt to:

  • Inject code that is executed upon object construction, which occurs during the
    deserialization process.
  • Exploit mass assignment by including fields that are not normally a part of the serialized
    data but are read in during deserialization.

Consider safer alternatives such as serializing data in the JSON format. Ensure any format
chosen allows the application to specify exactly which object types are allowed to be deserialized.

To protect against mass assignment, only allow deserialization of the specific fields that are
required. If this is not easily done, consider creating an intermediary type that
can be serialized with only the necessary fields exposed.

Example JSON deserializer using an intermediary type that is validated against a schema to ensure
it is safe from mass assignment:

import jsonschema

# Create a schema to validate our user-supplied input against
# an intermediary object
intermediary_schema = {
    "type" : "object",
    "properties" :  {
        "name": {"type" : "string"}
    },
    "required": ["name"],
    # Protect against random properties being added to the object
    "additionalProperties": False,
}
# If a user attempted to add "'is_admin': True" it would cause a validation error
intermediary_object = {'name': 'test user'}

try:
    # Validate the user supplied intermediary object against our schema
    jsonschema.validate(instance=intermediary_object, schema=intermediary_schema)
    user_object = {'user':
        {
            # Assign the deserialized data from intermediary object
            'name': intermediary_object['name'],
            # Add in protected data in object definition (or set it from a class constructor)
            'is_admin': False,
        }
    }
    # Work with the user_object
except jsonschema.exceptions.ValidationError as ex:
    # Gracefully handle validation errors
    # ...

For more details on deserialization attacks in general, see OWASP's guide:

Identifiers:

  • A8 - Insecure Deserialization
  • bandit.B301-1
  • CWE-502
  • Bandit Test ID B301
  • Bandit Test ID B301-1
  • A8:2017 - Insecure Deserialization

Scanner:

  • Name: Semgrep
@SGeeversAtVortech
Copy link
Contributor Author

In GitLab by @bentvelsen on Jan 30, 2024, 11:50

We could circumvent using the pickle by storing the tck file as a json, where we use the casadi methods .save() and .load() to serialize/deserialize the casadi function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SGeeversAtVortech