BETA Shoulder ist in der Beta — Befunde können manchmal falsch sein. Dein Feedback bestimmt, was wir als Nächstes beheben. Feedback teilen
Shoulder.dev

Bedrohungsintelligenz für Entwickler
📦

Deserialization of Untrusted Data

🛡️ 7 Regeln erkennen dies

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Many programming languages allow the serialization of objects for storage or transmission. When untrusted data is deserialized, it can lead to code execution, denial of service, or other unintended consequences.

Verbreitung
Mittel
3 Sprachen abgedeckt
Auswirkung
Kritisch
3 Regeln mit kritischem Schweregrad
Prävention
Dokumentiert
7 Fix-Beispiele
2 Prävention
2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Deserialization of Untrusted Data basierend auf 7 Shoulder-Erkennungsregeln.

🐹 Go Alle anzeigen Go Details →
Insecure Deserialization HIGH

Use strict typed structs instead of interface{} and avoid gob with untrusted data

+16 -10 go 
  package main
  
  import (
-     "encoding/gob"
-     "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     // Vulnerable: gob decoding untrusted HTTP body
-     dec := gob.NewDecoder(r.Body)
-     var data interface{}
-     if err := dec.Decode(&data); err != nil {
-         http.Error(w, err.Error(), 400)
+     "encoding/json"
+     "net/http"
+ )
+ 
+ type UserRequest struct {
+     Name  string `json:"name"`
+     Email string `json:"email"`
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     // Safe: typed struct with JSON (data-only, no code execution)
+     var req UserRequest
+     dec := json.NewDecoder(r.Body)
+     dec.DisallowUnknownFields()
+     if err := dec.Decode(&req); err != nil {
+         http.Error(w, "Invalid request", 400)
          return
      }
  }
LLM Training Data Poisoning HIGH

Validate all training data against strict schemas and apply content moderation before ingestion

+12 -0 go 
  func indexHandler(w http.ResponseWriter, r *http.Request) {
      var docs []Document
      json.NewDecoder(r.Body).Decode(&docs)
+ 
+     validate := validator.New()
+     for _, doc := range docs {
+         if err := validate.Struct(doc); err != nil {
+             http.Error(w, "validation failed", http.StatusBadRequest)
+             return
+         }
+         if flagged, _ := moderationCheck(doc.Content); flagged {
+             http.Error(w, "content policy violation", http.StatusBadRequest)
+             return
+         }
+     }
      vectorDB.Upsert(docs)
  }
🟨 JavaScript Alle anzeigen JavaScript Details →
LLM Training Data Poisoning HIGH

Validate training data against schemas and use content moderation before fine-tuning

+4 -2 javascript 
  app.post('/finetune', async (req, res) => {
-   await openai.files.create({
-     file: req.body.trainingData,
+   const validated = trainingSchema.parse(req.body.trainingData);
+   const moderated = await moderateContent(validated);
+   await openai.files.create({
+     file: moderated,
      purpose: 'fine-tune'
    });
  });
Unsafe Deserialization CRITICAL

Use JSON.parse() instead of node-serialize, and yaml.SAFE_SCHEMA for YAML parsing

+10 -8 javascript 
  const express = require('express');
- const serialize = require('node-serialize');
- const app = express();
- 
- app.post('/restore', (req, res) => {
-   const sessionData = req.body.session;
-   const session = serialize.deserialize(sessionData);
-   req.session = session;
-   res.json({ restored: true });
+ const app = express();
+ 
+ app.post('/restore', (req, res) => {
+   try {
+     const session = JSON.parse(req.body.session);
+     req.session = session;
+     res.json({ restored: true });
+   } catch (e) {
+     res.status(400).json({ error: 'Invalid session data' });
+   }
  });
🐍 Python Alle anzeigen Python Details →
LLM Training Data Poisoning HIGH

Validate training data with Pydantic schemas and apply content moderation before ingestion

+21 -4 python 
- @app.route('/finetune', methods=['POST'])
- def finetune():
-     training_data = request.json['data']
-     client.files.create(file=training_data, purpose='fine-tune')
+ from pydantic import BaseModel, validator
+ 
+ class TrainingExample(BaseModel):
+     prompt: str
+     completion: str
+ 
+     @validator('prompt', 'completion')
+     def validate_length(cls, v):
+         if len(v) > 4000:
+             raise ValueError('Content too long')
+         return v
+ 
+ @app.route('/finetune', methods=['POST'])
+ async def finetune():
+     examples = [TrainingExample(**ex) for ex in request.json['data']]
+     moderation = await openai.moderations.create(
+         input=[ex.completion for ex in examples]
+     )
+     if any(r.flagged for r in moderation.results):
+         return {'error': 'Content policy violation'}, 400
+     client.files.create(file=json.dumps([ex.dict() for ex in examples]), purpose='fine-tune')
      return {'status': 'queued'}
Unsafe Deserialization CRITICAL

Replace pickle/marshal with JSON or other safe serialization formats

+7 -7 python 
- import pickle
- from flask import request
- 
- @app.route('/load', methods=['POST'])
- def load():
-     data = request.get_data()
-     obj = pickle.loads(data)
+ import json
+ from flask import request
+ 
+ @app.route('/load', methods=['POST'])
+ def load():
+     data = request.get_data()
+     obj = json.loads(data)
      return str(obj)
Unsafe YAML Deserialization CRITICAL

Use yaml.safe_load() instead of yaml.load() to prevent code execution

+1 -1 python 
  import yaml
  
  def parse_config(yaml_string):
-     config = yaml.load(yaml_string)
+     config = yaml.safe_load(yaml_string)
      return config
3 Erkennung
3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Deserialization of Untrusted Data-Mustern zu scannen. 7 Regeln.

Terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=502

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (7)

4 Warnzeichen
4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Deserialization of Untrusted Data-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟠
Untrusted data is deserialized without validation go-insecure-deserialization
🟠
truly dangerous deserialization in Go go-insecure-deserialization
🟠
Untrusted data flows to ... without validation go-llm-training-data-poisoning
🟠
untrusted data flowing into AI/LLM fine-tuning or training processes without validation go-llm-training-data-poisoning
🟠
untrusted or unvalidated data flowing into AI/LLM fine-tuning or training processes javascript-llm-training-data-poisoning
🔴
user input flowing to unsafe deserialization functions like node-serialize or yaml javascript-unsafe-deserialization
🔴
untrusted user input being deserialized using unsafe methods like pickle python-unsafe-deserialization
🔴
unsafe YAML deserialization using yaml python-yaml-deserialization
🔍

Scanne deine Codebasis nach Deserialization of Untrusted Data

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen