ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4510/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

78 lines
2.5 KiB
Plaintext
Raw Permalink Blame History

Deserialization from an untrusted source using the XMLDecoder library can lead to unexpected code execution. For example, it has led in the past to the following vulnerability:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4221[CVE-2013-4221]
XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods only but nothing prevents the execution of any other method.
This rule raises an issue when XMLDecoder is instantiated. The call to "readObject" is also highlighted to show where the malicious code can be executed.
== Ask Yourself Whether
* the XML input can come from an untrusted source and be tainted by a hacker. (*)
* you require the advanced functionalities provided by the XMLDecoder class. If you simply need to deserialize XML you can use a more secure deserialization function.
(*) You are at risk if you answered yes to this question.
== Recommended Secure Coding Practices
If you only need a simple deserialization, use instead one of the deserialization libraries https://www.owasp.org/index.php/Deserialization_Cheat_Sheet#Mitigation_Tools.2FLibraries[recommended by OWASP].
If you really need to use XMLDecoder, make sure that the serialized data cannot be tampered with.
== Sensitive Code Example
----
public void decode(InputStream in) {
XMLDecoder d = new XMLDecoder(in); // Sensitive
Object result = d.readObject();
[...]
d.close();
}
----
== See
* OWASP - https://owasp.org/www-project-top-ten/2017/A1_2017-Injection[Top 10 2017 Category A1 - Injection]
* OWASP - https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization[Top 10 2017 Category A8 - Insecure Deserialization]
* CWE - https://cwe.mitre.org/data/definitions/502[CWE-502 - Deserialization of Untrusted Data]
* https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data[OWASP Deserialization of untrusted data]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#XML_DECODER[XML_DECODER ]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure deserializing with XMLDecoder is safe here.
=== Highlighting
First: the call to the java.beans.XMLDecoder constructor
Second: the call to the "readObject" on the XMLDecoder
'''
== Comments And Links
(visible only on this page)
=== on 19 Mar 2018, 11:17:50 Sébastien GIORIA - AppSecFR wrote:
need tag OWASP A8:2017
=== on 27 May 2020, 16:48:31 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink