BETA Shoulder jest w wersji beta — Wyniki mogą czasami być błędne. Twoja opinia kształtuje to, co naprawimy w następnej kolejności. Podziel się opinią
Shoulder.dev

Platforma Bezpieczenstwa dla Programistow
📦

Deserialization of Untrusted Data

🛡️ 7 reguł wykrywa to

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Many programming languages allow the serialization of objects for storage or transmission. When untrusted data is deserialized, it can lead to code execution, denial of service, or other unintended consequences.

Rozpowszechnienie
Średnia
Pokryto 3 języków
Wplyw
Krytyczny
3 reguł o krytycznym poziomie
Zapobieganie
Udokumentowane
7 przykładów poprawek
2 Zapobieganie
2 Zapobieganie

Jak naprawić tę podatność

Strategie zapobiegania dla Deserialization of Untrusted Data oparte na 7 regułach detekcji Shoulder.

🐹 Go Zobacz wszystko Go szczegóły →
Insecure Deserialization HIGH

Use strict typed structs instead of interface{} and avoid gob with untrusted data

+16 -10 go 
  package main
  
  import (
-     "encoding/gob"
-     "net/http"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     // Vulnerable: gob decoding untrusted HTTP body
-     dec := gob.NewDecoder(r.Body)
-     var data interface{}
-     if err := dec.Decode(&data); err != nil {
-         http.Error(w, err.Error(), 400)
+     "encoding/json"
+     "net/http"
+ )
+ 
+ type UserRequest struct {
+     Name  string `json:"name"`
+     Email string `json:"email"`
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     // Safe: typed struct with JSON (data-only, no code execution)
+     var req UserRequest
+     dec := json.NewDecoder(r.Body)
+     dec.DisallowUnknownFields()
+     if err := dec.Decode(&req); err != nil {
+         http.Error(w, "Invalid request", 400)
          return
      }
  }
LLM Training Data Poisoning HIGH

Validate all training data against strict schemas and apply content moderation before ingestion

+12 -0 go 
  func indexHandler(w http.ResponseWriter, r *http.Request) {
      var docs []Document
      json.NewDecoder(r.Body).Decode(&docs)
+ 
+     validate := validator.New()
+     for _, doc := range docs {
+         if err := validate.Struct(doc); err != nil {
+             http.Error(w, "validation failed", http.StatusBadRequest)
+             return
+         }
+         if flagged, _ := moderationCheck(doc.Content); flagged {
+             http.Error(w, "content policy violation", http.StatusBadRequest)
+             return
+         }
+     }
      vectorDB.Upsert(docs)
  }
🟨 JavaScript Zobacz wszystko JavaScript szczegóły →
LLM Training Data Poisoning HIGH

Validate training data against schemas and use content moderation before fine-tuning

+4 -2 javascript 
  app.post('/finetune', async (req, res) => {
-   await openai.files.create({
-     file: req.body.trainingData,
+   const validated = trainingSchema.parse(req.body.trainingData);
+   const moderated = await moderateContent(validated);
+   await openai.files.create({
+     file: moderated,
      purpose: 'fine-tune'
    });
  });
Unsafe Deserialization CRITICAL

Use JSON.parse() instead of node-serialize, and yaml.SAFE_SCHEMA for YAML parsing

+10 -8 javascript 
  const express = require('express');
- const serialize = require('node-serialize');
- const app = express();
- 
- app.post('/restore', (req, res) => {
-   const sessionData = req.body.session;
-   const session = serialize.deserialize(sessionData);
-   req.session = session;
-   res.json({ restored: true });
+ const app = express();
+ 
+ app.post('/restore', (req, res) => {
+   try {
+     const session = JSON.parse(req.body.session);
+     req.session = session;
+     res.json({ restored: true });
+   } catch (e) {
+     res.status(400).json({ error: 'Invalid session data' });
+   }
  });
🐍 Python Zobacz wszystko Python szczegóły →
LLM Training Data Poisoning HIGH

Validate training data with Pydantic schemas and apply content moderation before ingestion

+21 -4 python 
- @app.route('/finetune', methods=['POST'])
- def finetune():
-     training_data = request.json['data']
-     client.files.create(file=training_data, purpose='fine-tune')
+ from pydantic import BaseModel, validator
+ 
+ class TrainingExample(BaseModel):
+     prompt: str
+     completion: str
+ 
+     @validator('prompt', 'completion')
+     def validate_length(cls, v):
+         if len(v) > 4000:
+             raise ValueError('Content too long')
+         return v
+ 
+ @app.route('/finetune', methods=['POST'])
+ async def finetune():
+     examples = [TrainingExample(**ex) for ex in request.json['data']]
+     moderation = await openai.moderations.create(
+         input=[ex.completion for ex in examples]
+     )
+     if any(r.flagged for r in moderation.results):
+         return {'error': 'Content policy violation'}, 400
+     client.files.create(file=json.dumps([ex.dict() for ex in examples]), purpose='fine-tune')
      return {'status': 'queued'}
Unsafe Deserialization CRITICAL

Replace pickle/marshal with JSON or other safe serialization formats

+7 -7 python 
- import pickle
- from flask import request
- 
- @app.route('/load', methods=['POST'])
- def load():
-     data = request.get_data()
-     obj = pickle.loads(data)
+ import json
+ from flask import request
+ 
+ @app.route('/load', methods=['POST'])
+ def load():
+     data = request.get_data()
+     obj = json.loads(data)
      return str(obj)
Unsafe YAML Deserialization CRITICAL

Use yaml.safe_load() instead of yaml.load() to prevent code execution

+1 -1 python 
  import yaml
  
  def parse_config(yaml_string):
-     config = yaml.load(yaml_string)
+     config = yaml.safe_load(yaml_string)
      return config
3 Wykrywanie
3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Deserialization of Untrusted Data. 7 reguly.

terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=502

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (7)

4 Sygnaly Ostrzegawcze
4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Deserialization of Untrusted Data. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟠
Untrusted data is deserialized without validation go-insecure-deserialization
🟠
truly dangerous deserialization in Go go-insecure-deserialization
🟠
Untrusted data flows to ... without validation go-llm-training-data-poisoning
🟠
untrusted data flowing into AI/LLM fine-tuning or training processes without validation go-llm-training-data-poisoning
🟠
untrusted or unvalidated data flowing into AI/LLM fine-tuning or training processes javascript-llm-training-data-poisoning
🔴
user input flowing to unsafe deserialization functions like node-serialize or yaml javascript-unsafe-deserialization
🔴
untrusted user input being deserialized using unsafe methods like pickle python-unsafe-deserialization
🔴
unsafe YAML deserialization using yaml python-yaml-deserialization
🔍

Przeskanuj swój kod w poszukiwaniu Deserialization of Untrusted Data

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły