बीटा Shoulder बीटा में है — परिणाम कभी-कभी गलत हो सकते हैं। आपकी प्रतिक्रिया तय करती है कि हम आगे क्या ठीक करें। प्रतिक्रिया साझा करें
Shoulder.dev

डेवलपर सुरक्षा प्लेटफ़ॉर्म
📦

Deserialization of Untrusted Data

🛡️ 7 नियम इसे पहचानते हैं

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Many programming languages allow the serialization of objects for storage or transmission. When untrusted data is deserialized, it can lead to code execution, denial of service, or other unintended consequences.

व्यापकता
मध्यम
3 भाषाएँ कवर की गईं
प्रभाव
क्रिटिकल
3 क्रिटिकल गंभीरता वाले नियम
रोकथाम
प्रलेखित
7 फिक्स उदाहरण
2 रोकथाम
2 रोकथाम

इस भेद्यता को कैसे ठीक करें

7 Shoulder डिटेक्शन नियमों पर आधारित Deserialization of Untrusted Data के लिए रोकथाम रणनीतियाँ।

🐹 Go सब देखें Go विवरण →
Insecure Deserialization HIGH

Use strict typed structs instead of interface{} and avoid gob with untrusted data

+16 -10 go 
  package main
  
  import (
-     "encoding/gob"
-     "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     // Vulnerable: gob decoding untrusted HTTP body
-     dec := gob.NewDecoder(r.Body)
-     var data interface{}
-     if err := dec.Decode(&data); err != nil {
-         http.Error(w, err.Error(), 400)
+     "encoding/json"
+     "net/http"
+ )
+ 
+ type UserRequest struct {
+     Name  string `json:"name"`
+     Email string `json:"email"`
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     // Safe: typed struct with JSON (data-only, no code execution)
+     var req UserRequest
+     dec := json.NewDecoder(r.Body)
+     dec.DisallowUnknownFields()
+     if err := dec.Decode(&req); err != nil {
+         http.Error(w, "Invalid request", 400)
          return
      }
  }
LLM Training Data Poisoning HIGH

Validate all training data against strict schemas and apply content moderation before ingestion

+12 -0 go 
  func indexHandler(w http.ResponseWriter, r *http.Request) {
      var docs []Document
      json.NewDecoder(r.Body).Decode(&docs)
+ 
+     validate := validator.New()
+     for _, doc := range docs {
+         if err := validate.Struct(doc); err != nil {
+             http.Error(w, "validation failed", http.StatusBadRequest)
+             return
+         }
+         if flagged, _ := moderationCheck(doc.Content); flagged {
+             http.Error(w, "content policy violation", http.StatusBadRequest)
+             return
+         }
+     }
      vectorDB.Upsert(docs)
  }
🟨 JavaScript सब देखें JavaScript विवरण →
LLM Training Data Poisoning HIGH

Validate training data against schemas and use content moderation before fine-tuning

+4 -2 javascript 
  app.post('/finetune', async (req, res) => {
-   await openai.files.create({
-     file: req.body.trainingData,
+   const validated = trainingSchema.parse(req.body.trainingData);
+   const moderated = await moderateContent(validated);
+   await openai.files.create({
+     file: moderated,
      purpose: 'fine-tune'
    });
  });
Unsafe Deserialization CRITICAL

Use JSON.parse() instead of node-serialize, and yaml.SAFE_SCHEMA for YAML parsing

+10 -8 javascript 
  const express = require('express');
- const serialize = require('node-serialize');
- const app = express();
- 
- app.post('/restore', (req, res) => {
-   const sessionData = req.body.session;
-   const session = serialize.deserialize(sessionData);
-   req.session = session;
-   res.json({ restored: true });
+ const app = express();
+ 
+ app.post('/restore', (req, res) => {
+   try {
+     const session = JSON.parse(req.body.session);
+     req.session = session;
+     res.json({ restored: true });
+   } catch (e) {
+     res.status(400).json({ error: 'Invalid session data' });
+   }
  });
🐍 Python सब देखें Python विवरण →
LLM Training Data Poisoning HIGH

Validate training data with Pydantic schemas and apply content moderation before ingestion

+21 -4 python 
- @app.route('/finetune', methods=['POST'])
- def finetune():
-     training_data = request.json['data']
-     client.files.create(file=training_data, purpose='fine-tune')
+ from pydantic import BaseModel, validator
+ 
+ class TrainingExample(BaseModel):
+     prompt: str
+     completion: str
+ 
+     @validator('prompt', 'completion')
+     def validate_length(cls, v):
+         if len(v) > 4000:
+             raise ValueError('Content too long')
+         return v
+ 
+ @app.route('/finetune', methods=['POST'])
+ async def finetune():
+     examples = [TrainingExample(**ex) for ex in request.json['data']]
+     moderation = await openai.moderations.create(
+         input=[ex.completion for ex in examples]
+     )
+     if any(r.flagged for r in moderation.results):
+         return {'error': 'Content policy violation'}, 400
+     client.files.create(file=json.dumps([ex.dict() for ex in examples]), purpose='fine-tune')
      return {'status': 'queued'}
Unsafe Deserialization CRITICAL

Replace pickle/marshal with JSON or other safe serialization formats

+7 -7 python 
- import pickle
- from flask import request
- 
- @app.route('/load', methods=['POST'])
- def load():
-     data = request.get_data()
-     obj = pickle.loads(data)
+ import json
+ from flask import request
+ 
+ @app.route('/load', methods=['POST'])
+ def load():
+     data = request.get_data()
+     obj = json.loads(data)
      return str(obj)
Unsafe YAML Deserialization CRITICAL

Use yaml.safe_load() instead of yaml.load() to prevent code execution

+1 -1 python 
  import yaml
  
  def parse_config(yaml_string):
-     config = yaml.load(yaml_string)
+     config = yaml.safe_load(yaml_string)
      return config
3 पहचान
3 पहचान

अपने कोड में भेद्यताएँ खोजें

Deserialization of Untrusted Data पैटर्न के लिए अपने कोडबेस को स्कैन करने के लिए Shoulder का उपयोग करें। 7 नियम.

टर्मिनल
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=502

# Or scan entire project
npx @shoulderdev/cli trust .

पहचान नियम (7)

4 चेतावनी संकेत
4 चेतावनी संकेत

कोड समीक्षा में किन बातों पर ध्यान दें

ये पैटर्न संभावित Deserialization of Untrusted Data भेद्यताओं का संकेत देते हैं। कोड समीक्षा और सुरक्षा ऑडिट के दौरान इन्हें देखें।

🟠
Untrusted data is deserialized without validation go-insecure-deserialization
🟠
truly dangerous deserialization in Go go-insecure-deserialization
🟠
Untrusted data flows to ... without validation go-llm-training-data-poisoning
🟠
untrusted data flowing into AI/LLM fine-tuning or training processes without validation go-llm-training-data-poisoning
🟠
untrusted or unvalidated data flowing into AI/LLM fine-tuning or training processes javascript-llm-training-data-poisoning
🔴
user input flowing to unsafe deserialization functions like node-serialize or yaml javascript-unsafe-deserialization
🔴
untrusted user input being deserialized using unsafe methods like pickle python-unsafe-deserialization
🔴
unsafe YAML deserialization using yaml python-yaml-deserialization
🔍

अपने कोडबेस को इसके लिए स्कैन करें: Deserialization of Untrusted Data

Shoulder CLI आपके पूरे कोडबेस में भेद्य पैटर्न खोजता है।

npx shoulder trust सभी नियम देखें