rspec/rules/S4510/java/rule.adoc

Deserialization from an untrusted source using the XMLDecoder library can lead to unexpected code execution. For example, it has led in the past to the following vulnerability:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4221[CVE-2013-4221]

XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods only but nothing prevents the execution of any other method.


This rule raises an issue when XMLDecoder is instantiated. The call to "readObject" is also highlighted to show where the malicious code can be executed.


== Ask Yourself Whether

* the XML input can come from an untrusted source and be tainted by a hacker. (*)
* you require the advanced functionalities provided by the XMLDecoder class. If you simply need to deserialize XML you can use a more secure deserialization function.

(*) You are at risk if you answered yes to this question.


== Recommended Secure Coding Practices

If you only need a simple deserialization, use instead one of the deserialization libraries https://www.owasp.org/index.php/Deserialization_Cheat_Sheet#Mitigation_Tools.2FLibraries[recommended by OWASP].


If you really need to use XMLDecoder, make sure that the serialized data cannot be tampered with.


== Sensitive Code Example

----
public void decode(InputStream in) {
  XMLDecoder d = new XMLDecoder(in); // Sensitive
  Object result = d.readObject();
  [...]
  d.close();
}
----


== See

* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization]
* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data]
* https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[OWASP Deserialization of untrusted data]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XML_DECODER[XML_DECODER ]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure deserializing with XMLDecoder is safe here.


=== Highlighting

First: the call to the java.beans.XMLDecoder constructor

Second: the call to the "readObject" on the XMLDecoder


'''
== Comments And Links
(visible only on this page)

=== on 19 Mar 2018, 11:17:50 Sébastien GIORIA - AppSecFR wrote:
need tag OWASP A8:2017

=== on 27 May 2020, 16:48:31 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity

endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Deserialization from an untrusted source using the XMLDecoder library can lead to unexpected code execution. For example, it has led in the past to the following vulnerability:`

			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4221[CVE-2013-4221]`

			`XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods only but nothing prevents the execution of any other method.`


			`This rule raises an issue when XMLDecoder is instantiated. The call to "readObject" is also highlighted to show where the malicious code can be executed.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			`* the XML input can come from an untrusted source and be tainted by a hacker. (*)`
			`* you require the advanced functionalities provided by the XMLDecoder class. If you simply need to deserialize XML you can use a more secure deserialization function.`

			`(*) You are at risk if you answered yes to this question.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			`If you only need a simple deserialization, use instead one of the deserialization libraries https://www.owasp.org/index.php/Deserialization_Cheat_Sheet#Mitigation_Tools.2FLibraries[recommended by OWASP].`


			`If you really need to use XMLDecoder, make sure that the serialized data cannot be tampered with.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Sensitive Code Example`

			`----`
			`public void decode(InputStream in) {`
			`XMLDecoder d = new XMLDecoder(in); // Sensitive`
			`Object result = d.readObject();`
			`[...]`
			`d.close();`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]`
			`* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization]`
			`* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data]`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[OWASP Deserialization of untrusted data]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XML_DECODER[XML_DECODER ]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure deserializing with XMLDecoder is safe here.`


			`=== Highlighting`

			`First: the call to the java.beans.XMLDecoder constructor`

			`Second: the call to the "readObject" on the XMLDecoder`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 19 Mar 2018, 11:17:50 Sébastien GIORIA - AppSecFR wrote:`
			`need tag OWASP A8:2017`

			`=== on 27 May 2020, 16:48:31 Eric Therond wrote:`
			`Deprecated because it overlaps with SonarSecurity`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`