Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4510

Deserializing with XMLDecoder is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Message:
      Make sure deserializing with XMLDecoder is safe here.
    • Highlighting:
      Hide

      First: the call to the java.beans.XMLDecoder constructor
      Second: the call to the "readObject" on the XMLDecoder

      Show
      First: the call to the java.beans.XMLDecoder constructor Second: the call to the "readObject" on the XMLDecoder
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, APEX, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-502
    • OWASP:
      A1, A8
    • FindSecBugs:
      XML_DECODER

      Description

      Deserialization from an untrusted source using the XMLDecoder library can lead to unexpected code execution. For example, it has led in the past to the following vulnerability:

      XMLDecoder supports arbitrary method invocation. This capability is intended to call setter methods only but nothing prevents the execution of any other method.

      This rule raises an issue when XMLDecoder is instantiated. The call to "readObject" is also highlighted to show where the malicious code can be executed.

      Ask Yourself Whether

      • the XML input can come from an untrusted source and be tainted by a hacker.
      • you require the advanced functionalities provided by the XMLDecoder class. If you simply need to deserialize XML you can use a more secure deserialization function.

      You are at risk if you answered yes to this question.

      Sensitive Code Example

      public void decode(InputStream in) {
        XMLDecoder d = new XMLDecoder(in); // Sensitive
        Object result = d.readObject();
        [...]
        d.close();
      }
      

      Recommended Secure Coding Practices

      If you only need a simple deserialization, use instead one of the deserialization libraries recommended by OWASP.

      If you really need to use XMLDecoder, make sure that the serialized data cannot be tampered with.

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: