Unsanitized user input in deserialization method

Overview

Rule ID: javascript_express_unsafe_deserialization
Applicable Languages: Javascript
Weakness ID: CWE-502

Description

Deserializing untrusted data exposes your application to security risks. This vulnerability arises when data, particularly from external sources like request objects, is deserialized without proper sanitization. Attackers can embed malicious code or payloads in serialized data, which can compromise your application's security upon deserialization.

Remediation Guidelines

Do not deserialize data from untrusted sources directly. This practice can lead to security vulnerabilities by executing malicious code embedded in the data.
Do use data-only, language-agnostic serialization formats such as JSON or XML for deserializing data. These formats are less susceptible to manipulation by attackers aiming to exploit the deserialization process.
```
JSON.parse(req.params);
```

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in deserialization method NextUnsanitized user input in dynamic HTML insertion (XSS)

Last updated 3 months ago