Metaprogramming is always a problem
TL;DR: Don't allow remote code execution
Problems
- Security
Solutions
Validate and sanitize input
Avoid executing code. Input only data
Apply sandboxing or isolation
Context
Deserializing objects from an untrusted source is indeed a security-sensitive operation.
Suppose you have a web application that accepts serialized objects as input from user-submitted data, such as in an API endpoint or a file upload feature.
The application deserializes these objects to reconstruct them into usable objects within the system.
If an attacker submits maliciously crafted serialized data to exploit vulnerabilities in the deserialization process.
They might manipulate the serialized data to execute arbitrary code, escalate privileges, or perform unauthorized actions within the application or the underlying system.
This type of attack is commonly known as "deserialization attacks" or "serialization vulnerabilities."
Sample Code
Wrong
import pickle # Python's serialization module
def process_serialized_data(serialized_data):
try:
obj = pickle.loads(serialized_data)
# Deserialize the object
# Process the deserialized object
# ...
# User-submitted serialized data
user_data = b"\x80\x04\x95\x13\x00\x00\x00\x00\x00\x00\x00\x8c\x08os\nsystem\n\x8c\x06uptime\n\x86\x94."
# This code executes os.system("uptime")
process_serialized_data(user_data)
Right
import json
def process_serialized_data(serialized_data):
try:
obj = json.loads(serialized_data)
# Deserialize the JSON object
# Does not execute code
# ...
user_data = '{"key": "value"}'
process_serialized_data(user_data)
Detection
[X] Semi-Automatic
Several linters warn about deserialization points.
Tags
- Security
Conclusion
Metaprogramming opens doors to abusers.
Relations
Code Smell 189 - Not Sanitized Input
Maxi Contieri ・ Dec 28 '22
More Info
Laziness I: Meta-programming
Maxi Contieri ・ Jan 30 '21
Disclaimer
Code Smells are my opinion.
Credits
Photo by Towfiqu barbhuiya on Unsplash
Whenever possible, steal code.
Tom Duff
Software Engineering Great Quotes
Maxi Contieri ・ Dec 28 '20
This article is part of the CodeSmell Series.