From 2615206a697371a379d2951175d514f1f1b6c41c Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 22 Jul 2024 17:08:06 +0200 Subject: [PATCH] fix(golang): deserialization pattern for gob --- .../go/lang/deserialization_of_user_input.yml | 46 +++++++++++++------ .../testdata/main.go | 4 +- 2 files changed, 34 insertions(+), 16 deletions(-) diff --git a/rules/go/lang/deserialization_of_user_input.yml b/rules/go/lang/deserialization_of_user_input.yml index 066d2e0a..11047f6d 100644 --- a/rules/go/lang/deserialization_of_user_input.yml +++ b/rules/go/lang/deserialization_of_user_input.yml @@ -1,45 +1,63 @@ imports: - go_shared_lang_dynamic_input_combined patterns: - - pattern: $.Decode($); + - pattern: $.Decode($<...>); filters: - variable: DECODER detection: go_lang_deserialization_of_user_input_decoder - - variable: USER_INPUT - detection: go_shared_lang_dynamic_input_combined - - pattern: $.Encode($<...>$$<...>); + - pattern: $.Encode($<...>); filters: - variable: ENCODER detection: go_lang_deserialization_of_user_input_encoder - - variable: USER_INPUT - detection: go_shared_lang_dynamic_input_combined auxiliary: - id: go_lang_deserialization_of_user_input_decoder patterns: - - gob.NewDecoder(); + - pattern: gob.NewDecoder($); + filters: + - variable: USER_INPUT + detection: go_shared_lang_dynamic_input_combined - id: go_lang_deserialization_of_user_input_encoder patterns: - - gob.NewEncoder(); + - pattern: gob.NewEncoder($); + filters: + - variable: USER_INPUT + detection: go_shared_lang_dynamic_input_combined languages: - go metadata: description: Unsanitized user input in deserialization method - remediation_message: |- + remediation_message: | ## Description - Deserializing data from untrusted sources, like user inputs or request parameters, without proper verification is a security risk. Attackers can embed malicious code or payloads within serialized data. When your application deserializes this data without checks, it becomes vulnerable to attacks. + It is bad practice to deserialize untrusted data, such as data that comes + from external sources like user input or request parameters, without sufficient + verification. Attackers can transfer payloads or malicious code via serialized + data, and deserializing such data puts your application at risk. ## Remediations - - **Do not** deserialize data from untrusted sources directly. This can lead to security vulnerabilities. - - **Do** validate and sanitize all data before deserializing it. Ensure that the data is coming from a trusted source and is in the expected format. + ❌ Do not deserialize untrusted data - ## References + ✅ Validate and sanitize data before attempting to (de)serialize it + ## Resources - [Gob Security Documentation](https://pkg.go.dev/encoding/gob#hdr-Security) - [OWASP Deserialization cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) cwe_id: - 502 id: go_lang_deserialization_of_user_input - documentation_url: https://docs.bearer.com/reference/rules/go_lang_deserialization_of_user_input + hidden: false + remediable: false + deprecated: false + display_name: Unsanitized user input in deserialization method + long_description: |- + Deserializing data from untrusted sources, like user inputs or request parameters, without proper verification is a security risk. Attackers can embed malicious code or payloads within serialized data. When your application deserializes this data without checks, it becomes vulnerable to attacks. + guidelines: |- + - **Do not** deserialize data from untrusted sources directly. This can lead to security vulnerabilities. + - **Do** validate and sanitize all data before deserializing it. Ensure that the data is coming from a trusted source and is in the expected format. + + ### References + + - [Gob Security Documentation](https://pkg.go.dev/encoding/gob#hdr-Security) + - [OWASP Deserialization cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) severity: critical diff --git a/tests/go/lang/deserialization_of_user_input/testdata/main.go b/tests/go/lang/deserialization_of_user_input/testdata/main.go index 07dbd063..f6820ded 100644 --- a/tests/go/lang/deserialization_of_user_input/testdata/main.go +++ b/tests/go/lang/deserialization_of_user_input/testdata/main.go @@ -15,10 +15,10 @@ type Employee struct { func bad() { - dec := gob.NewDecoder(&os.Args[0]) + dec := gob.NewDecoder(bytes.NewReader([]byte(os.Args[0]))) var v Vector - err = dec.Decode(&v) // bearer:expected go_lang_deserialization_of_user_input + err = dec.Decode(&v) } func ok() {