# Insecure Deserialization

- ID: go-insecure-deserialization
- Severity: HIGH
- CWE: Deserialization of Untrusted Data (CWE-502)
- Languages: Go

## Description

Detects truly dangerous deserialization in Go. Unlike Java or Python, Go's encoding/json
is safe (data-only parsing, no code execution). This rule focuses on:
- gob.Decoder: Can instantiate arbitrary types, potential RCE (CRITICAL)
- json/yaml/xml to interface{}: Type confusion risk when combined with untrusted input (MEDIUM)

Note: json.Unmarshal to typed structs is NOT flagged as it cannot execute code.

## Detection Message

Untrusted data is deserialized without validation

## Remediation

Use strict struct types instead of interface{} and validate after unmarshaling.

```go
type User struct {
    Name  string `json:"name"`
    Email string `json:"email"`
}

var user User
if err := json.Unmarshal(input, &user); err != nil {
    return err
}
```

Learn more: https://shoulder.dev/learn/go/cwe-502/unsafe-deserialization

## Documentation

[object Object]

## Related Rules

- **LLM Training Data Poisoning** [HIGH]: 
- **LLM Training Data Poisoning** [HIGH]: 
- **Unsafe Deserialization** [CRITICAL]: 
- **LLM Training Data Poisoning** [HIGH]: 
- **Unsafe Deserialization** [CRITICAL]: