베타 Shoulder는 베타 버전입니다 — 결과가 가끔 잘못될 수 있습니다. 여러분의 피드백이 다음에 무엇을 고칠지 결정합니다. 피드백 공유
Shoulder.dev

개발자를 위한 위협 인텔리전스
📦

Deserialization of Untrusted Data

🛡️ 7 개의 규칙이 이를 탐지합니다

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Many programming languages allow the serialization of objects for storage or transmission. When untrusted data is deserialized, it can lead to code execution, denial of service, or other unintended consequences.

보급률
보통
3개 언어 지원
영향
치명적
3개의 치명적 심각도 규칙
예방
문서화됨
7개의 수정 예시
2 예방
2 예방

이 취약점을 수정하는 방법

7개의 Shoulder 탐지 규칙을 기반으로 한 Deserialization of Untrusted Data 예방 전략.

🐹 Go 모두 보기 Go 자세히 →
Insecure Deserialization HIGH

Use strict typed structs instead of interface{} and avoid gob with untrusted data

+16 -10 go 
  package main
  
  import (
-     "encoding/gob"
-     "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     // Vulnerable: gob decoding untrusted HTTP body
-     dec := gob.NewDecoder(r.Body)
-     var data interface{}
-     if err := dec.Decode(&data); err != nil {
-         http.Error(w, err.Error(), 400)
+     "encoding/json"
+     "net/http"
+ )
+ 
+ type UserRequest struct {
+     Name  string `json:"name"`
+     Email string `json:"email"`
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     // Safe: typed struct with JSON (data-only, no code execution)
+     var req UserRequest
+     dec := json.NewDecoder(r.Body)
+     dec.DisallowUnknownFields()
+     if err := dec.Decode(&req); err != nil {
+         http.Error(w, "Invalid request", 400)
          return
      }
  }
LLM Training Data Poisoning HIGH

Validate all training data against strict schemas and apply content moderation before ingestion

+12 -0 go 
  func indexHandler(w http.ResponseWriter, r *http.Request) {
      var docs []Document
      json.NewDecoder(r.Body).Decode(&docs)
+ 
+     validate := validator.New()
+     for _, doc := range docs {
+         if err := validate.Struct(doc); err != nil {
+             http.Error(w, "validation failed", http.StatusBadRequest)
+             return
+         }
+         if flagged, _ := moderationCheck(doc.Content); flagged {
+             http.Error(w, "content policy violation", http.StatusBadRequest)
+             return
+         }
+     }
      vectorDB.Upsert(docs)
  }
🟨 JavaScript 모두 보기 JavaScript 자세히 →
LLM Training Data Poisoning HIGH

Validate training data against schemas and use content moderation before fine-tuning

+4 -2 javascript 
  app.post('/finetune', async (req, res) => {
-   await openai.files.create({
-     file: req.body.trainingData,
+   const validated = trainingSchema.parse(req.body.trainingData);
+   const moderated = await moderateContent(validated);
+   await openai.files.create({
+     file: moderated,
      purpose: 'fine-tune'
    });
  });
Unsafe Deserialization CRITICAL

Use JSON.parse() instead of node-serialize, and yaml.SAFE_SCHEMA for YAML parsing

+10 -8 javascript 
  const express = require('express');
- const serialize = require('node-serialize');
- const app = express();
- 
- app.post('/restore', (req, res) => {
-   const sessionData = req.body.session;
-   const session = serialize.deserialize(sessionData);
-   req.session = session;
-   res.json({ restored: true });
+ const app = express();
+ 
+ app.post('/restore', (req, res) => {
+   try {
+     const session = JSON.parse(req.body.session);
+     req.session = session;
+     res.json({ restored: true });
+   } catch (e) {
+     res.status(400).json({ error: 'Invalid session data' });
+   }
  });
🐍 Python 모두 보기 Python 자세히 →
LLM Training Data Poisoning HIGH

Validate training data with Pydantic schemas and apply content moderation before ingestion

+21 -4 python 
- @app.route('/finetune', methods=['POST'])
- def finetune():
-     training_data = request.json['data']
-     client.files.create(file=training_data, purpose='fine-tune')
+ from pydantic import BaseModel, validator
+ 
+ class TrainingExample(BaseModel):
+     prompt: str
+     completion: str
+ 
+     @validator('prompt', 'completion')
+     def validate_length(cls, v):
+         if len(v) > 4000:
+             raise ValueError('Content too long')
+         return v
+ 
+ @app.route('/finetune', methods=['POST'])
+ async def finetune():
+     examples = [TrainingExample(**ex) for ex in request.json['data']]
+     moderation = await openai.moderations.create(
+         input=[ex.completion for ex in examples]
+     )
+     if any(r.flagged for r in moderation.results):
+         return {'error': 'Content policy violation'}, 400
+     client.files.create(file=json.dumps([ex.dict() for ex in examples]), purpose='fine-tune')
      return {'status': 'queued'}
Unsafe Deserialization CRITICAL

Replace pickle/marshal with JSON or other safe serialization formats

+7 -7 python 
- import pickle
- from flask import request
- 
- @app.route('/load', methods=['POST'])
- def load():
-     data = request.get_data()
-     obj = pickle.loads(data)
+ import json
+ from flask import request
+ 
+ @app.route('/load', methods=['POST'])
+ def load():
+     data = request.get_data()
+     obj = json.loads(data)
      return str(obj)
Unsafe YAML Deserialization CRITICAL

Use yaml.safe_load() instead of yaml.load() to prevent code execution

+1 -1 python 
  import yaml
  
  def parse_config(yaml_string):
-     config = yaml.load(yaml_string)
+     config = yaml.safe_load(yaml_string)
      return config
3 탐지
3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Deserialization of Untrusted Data 패턴을 스캔하세요. 7 규칙.

터미널
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=502

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (7)

4 경고 신호
4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Deserialization of Untrusted Data 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠
Untrusted data is deserialized without validation go-insecure-deserialization
🟠
truly dangerous deserialization in Go go-insecure-deserialization
🟠
Untrusted data flows to ... without validation go-llm-training-data-poisoning
🟠
untrusted data flowing into AI/LLM fine-tuning or training processes without validation go-llm-training-data-poisoning
🟠
untrusted or unvalidated data flowing into AI/LLM fine-tuning or training processes javascript-llm-training-data-poisoning
🔴
user input flowing to unsafe deserialization functions like node-serialize or yaml javascript-unsafe-deserialization
🔴
untrusted user input being deserialized using unsafe methods like pickle python-unsafe-deserialization
🔴
unsafe YAML deserialization using yaml python-yaml-deserialization
🔍

코드베이스를 스캔하세요: Deserialization of Untrusted Data

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기