# Deserialization of Untrusted Data (CWE-502)

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

**Stack:** Go

- Prevalence: मध्यम 3 भाषाएँ कवर की गईं
- Impact: क्रिटिकल 3 क्रिटिकल गंभीरता वाले नियम
- Prevention: प्रलेखित 7 फिक्स उदाहरण

**OWASP:** Software and Data Integrity Failures (A08:2021-Software and Data Integrity Failures) - #8

## Description

Many programming languages allow the serialization of objects for storage or transmission. When untrusted data is deserialized, it can lead to code execution, denial of service, or other unintended consequences.

## Prevention

2 Shoulder डिटेक्शन नियमों पर आधारित Deserialization of Untrusted Data के लिए रोकथाम रणनीतियाँ।

### Go

Use strict typed structs instead of interface{} and avoid gob with untrusted data

Validate all training data against strict schemas and apply content moderation before ingestion

## Warning Signs

- [HIGH] Untrusted data is deserialized without validation
- [HIGH] truly dangerous deserialization in Go
- [HIGH] Untrusted data flows to ... without validation
- [HIGH] untrusted data flowing into AI/LLM fine-tuning or training processes without validation

## Consequences

- अनधिकृत कोड निष्पादित करना
- DoS: क्रैश / निकास / पुनः आरंभ
- एप्लिकेशन डेटा संशोधित करना

## Mitigations

- यदि संभव हो तो अविश्वसनीय डेटा के deserialization से बचें
- यदि deserialization आवश्यक हो, तो JSON जैसे सुरक्षित प्रारूपों का उपयोग करें
- डिजिटल हस्ताक्षरों जैसी अखंडता जाँचें लागू करें
- Deserialization को कम विशेषाधिकार वाले वातावरण में अलग करें

## Detection

- Total rules: 7
- Critical: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (2 rules)

- **Insecure Deserialization** [HIGH]: Detects truly dangerous deserialization in Go. Unlike Java or Python, Go's encoding/json
is safe (data-only parsing, no code execution). This rule focuses on:
- gob.Decoder: Can instantiate arbitrary types, potential RCE (CRITICAL)
- json/yaml/xml to interface{}: Type confusion risk when combined with untrusted input (MEDIUM)

Note: json.Unmarshal to typed structs is NOT flagged as it cannot execute code.
  - Remediation: Use strict struct types instead of interface{} and validate after unmarshaling.

```go
type User struct {
    Name  string `json:"name"`
    Email string `json:"email"`
}

var user User
if err := json.Unmarshal(input, &user); err != nil {
    return err
}
```

Learn more: https://shoulder.dev/learn/go/cwe-502/unsafe-deserialization
- **LLM Training Data Poisoning** [HIGH]: Detects untrusted data flowing into AI/LLM fine-tuning or training processes without validation.
  - Remediation: Validate all training data against strict schemas before ingestion.

```go
if err := validate.Struct(doc); err != nil {
    return errors.New("validation failed")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-502/llm-training-data-poisoning