From b6f256227a9cf6b98aa49ca4ef4b7ed31ac7455e Mon Sep 17 00:00:00 2001 From: Huzaifa Sidhpurwala Date: Tue, 21 Sep 2021 09:20:21 +0530 Subject: [PATCH] clean up de-serialize --- .../ROOT/pages/tasks/Tasks-Serialization.adoc | 45 +------------------ 1 file changed, 2 insertions(+), 43 deletions(-) diff --git a/modules/ROOT/pages/tasks/Tasks-Serialization.adoc b/modules/ROOT/pages/tasks/Tasks-Serialization.adoc index 8bfffbf..7e481e9 100644 --- a/modules/ROOT/pages/tasks/Tasks-Serialization.adoc +++ b/modules/ROOT/pages/tasks/Tasks-Serialization.adoc @@ -139,49 +139,8 @@ Protocol.) [[sect-Defensive_Coding-Tasks-Serialization-Library]] == Library Support for Deserialization -For some languages, generic libraries are available which allow -to serialize and deserialize user-defined objects. The -deserialization part comes in one of two flavors, depending on -the library. The first kind uses type information in the data -stream to control which objects are instantiated. The second -kind uses type definitions supplied by the programmer. The -first one allows arbitrary object instantiation, the second one -generally does not. - -The following serialization frameworks are in the first category, -are known to be unsafe, and must not be used for untrusted data: - -* Python's [package]*pickle* and [package]*cPickle* -modules, and wrappers such as [package]*shelve* - -* Perl's [package]*Storable* package - -* Java serialization (`java.io.ObjectInputStream`), -even if encoded in other formats (as with -`java.beans.XMLDecoder`) - -* PHP serialization (`unserialize`) - -* Most implementations of YAML - -When using a type-directed deserialization format where the -types of the deserialized objects are specified by the -programmer, make sure that the objects which can be instantiated -cannot perform any destructive actions in their destructors, -even when the data members have been manipulated. - -In general, JSON decoders do not suffer from this problem. But -you must not use the `eval` function to parse -JSON objects in Javascript; even with the regular expression -filter from RFC 4627, there are still information leaks -remaining. JSON-based formats can still turn out risky if they -serve as an encoding form for any if the serialization -frameworks listed above. - -For serialization in C and C++ projects, the Protocol Buffers serialization -([package]*protobuf*) provides type safe automated serialization -by relying on code generation. It is positioned as similar, but simpler and -more efficient to XML serialization. +There are too many subtleties when dealing with Deserialization to be discussed here. +A more detailed and updated guide is available as https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html[OWASP Deserialization Cheat Sheet] [[sect-Defensive_Coding-Tasks-Serialization-XML]] == XML Serialization