rspec/rules/S5773/description.adoc

During the deserialization process, the state of an object will be reconstructed from the serialized data stream which can contain dangerous operations.


To restrict the types allowed to be deserialized:

* by implementing an "allow-list" of types, but keep in mind that novel dangerous types are regularly discovered and this protection could be insufficient over time.
* or/and implementing a tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`During the deserialization process, the state of an object will be reconstructed from the serialized data stream which can contain dangerous operations.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`To restrict the types allowed to be deserialized:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`* by implementing an "allow-list" of types, but keep in mind that novel dangerous types are regularly discovered and this protection could be insufficient over time.`
			`* or/and implementing a tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized.`