Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Many programming languages allow the serialization of objects for storage or transmission. When untrusted data is deserialized, it can lead to code execution, denial of service, or other unintended consequences.
이 취약점을 수정하는 방법
7개의 Shoulder 탐지 규칙을 기반으로 한 Deserialization of Untrusted Data 예방 전략.
Use strict typed structs instead of interface{} and avoid gob with untrusted data
package main import ( - "encoding/gob" - "net/http" - ) - - func handler(w http.ResponseWriter, r *http.Request) { - // Vulnerable: gob decoding untrusted HTTP body - dec := gob.NewDecoder(r.Body) - var data interface{} - if err := dec.Decode(&data); err != nil { - http.Error(w, err.Error(), 400) + "encoding/json" + "net/http" + ) + + type UserRequest struct { + Name string `json:"name"` + Email string `json:"email"` + } + + func handler(w http.ResponseWriter, r *http.Request) { + // Safe: typed struct with JSON (data-only, no code execution) + var req UserRequest + dec := json.NewDecoder(r.Body) + dec.DisallowUnknownFields() + if err := dec.Decode(&req); err != nil { + http.Error(w, "Invalid request", 400) return } }
Validate all training data against strict schemas and apply content moderation before ingestion
func indexHandler(w http.ResponseWriter, r *http.Request) { var docs []Document json.NewDecoder(r.Body).Decode(&docs) + + validate := validator.New() + for _, doc := range docs { + if err := validate.Struct(doc); err != nil { + http.Error(w, "validation failed", http.StatusBadRequest) + return + } + if flagged, _ := moderationCheck(doc.Content); flagged { + http.Error(w, "content policy violation", http.StatusBadRequest) + return + } + } vectorDB.Upsert(docs) }
Validate training data against schemas and use content moderation before fine-tuning
app.post('/finetune', async (req, res) => { - await openai.files.create({ - file: req.body.trainingData, + const validated = trainingSchema.parse(req.body.trainingData); + const moderated = await moderateContent(validated); + await openai.files.create({ + file: moderated, purpose: 'fine-tune' }); });
Use JSON.parse() instead of node-serialize, and yaml.SAFE_SCHEMA for YAML parsing
const express = require('express'); - const serialize = require('node-serialize'); - const app = express(); - - app.post('/restore', (req, res) => { - const sessionData = req.body.session; - const session = serialize.deserialize(sessionData); - req.session = session; - res.json({ restored: true }); + const app = express(); + + app.post('/restore', (req, res) => { + try { + const session = JSON.parse(req.body.session); + req.session = session; + res.json({ restored: true }); + } catch (e) { + res.status(400).json({ error: 'Invalid session data' }); + } });
Validate training data with Pydantic schemas and apply content moderation before ingestion
- @app.route('/finetune', methods=['POST']) - def finetune(): - training_data = request.json['data'] - client.files.create(file=training_data, purpose='fine-tune') + from pydantic import BaseModel, validator + + class TrainingExample(BaseModel): + prompt: str + completion: str + + @validator('prompt', 'completion') + def validate_length(cls, v): + if len(v) > 4000: + raise ValueError('Content too long') + return v + + @app.route('/finetune', methods=['POST']) + async def finetune(): + examples = [TrainingExample(**ex) for ex in request.json['data']] + moderation = await openai.moderations.create( + input=[ex.completion for ex in examples] + ) + if any(r.flagged for r in moderation.results): + return {'error': 'Content policy violation'}, 400 + client.files.create(file=json.dumps([ex.dict() for ex in examples]), purpose='fine-tune') return {'status': 'queued'}
Replace pickle/marshal with JSON or other safe serialization formats
- import pickle - from flask import request - - @app.route('/load', methods=['POST']) - def load(): - data = request.get_data() - obj = pickle.loads(data) + import json + from flask import request + + @app.route('/load', methods=['POST']) + def load(): + data = request.get_data() + obj = json.loads(data) return str(obj)
Use yaml.safe_load() instead of yaml.load() to prevent code execution
import yaml def parse_config(yaml_string): - config = yaml.load(yaml_string) + config = yaml.safe_load(yaml_string) return config
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Deserialization of Untrusted Data 패턴을 스캔하세요. 7 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=502 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (7)
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Deserialization of Untrusted Data 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
코드베이스를 스캔하세요: Deserialization of Untrusted Data
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.