Docs/defensive-coding-guide
2
0
Fork 0
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

clean up de-serialize

Browse source
This commit is contained in:
Huzaifa Sidhpurwala 2021-09-21 09:20:21 +05:30
parent ced01f0bea
commit b6f256227a
1 changed files with 2 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

45
modules/ROOT/pages/tasks/Tasks-Serialization.adoc
View file

@ -139,49 +139,8 @@ Protocol.)
[[sect-Defensive_Coding-Tasks-Serialization-Library]] [[sect-Defensive_Coding-Tasks-Serialization-Library]]
== Library Support for Deserialization == Library Support for Deserialization
For some languages, generic libraries are available which allow There are too many subtleties when dealing with Deserialization to be discussed here.
to serialize and deserialize user-defined objects. The A more detailed and updated guide is available as https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html[OWASP Deserialization Cheat Sheet]
deserialization part comes in one of two flavors, depending on
the library. The first kind uses type information in the data
stream to control which objects are instantiated. The second
kind uses type definitions supplied by the programmer. The
first one allows arbitrary object instantiation, the second one
generally does not.
The following serialization frameworks are in the first category,
are known to be unsafe, and must not be used for untrusted data:
* Python's [package]*pickle* and [package]*cPickle*
modules, and wrappers such as [package]*shelve*
* Perl's [package]*Storable* package
* Java serialization (`java.io.ObjectInputStream`),
even if encoded in other formats (as with
`java.beans.XMLDecoder`)
* PHP serialization (`unserialize`)
* Most implementations of YAML
When using a type-directed deserialization format where the
types of the deserialized objects are specified by the
programmer, make sure that the objects which can be instantiated
cannot perform any destructive actions in their destructors,
even when the data members have been manipulated.
In general, JSON decoders do not suffer from this problem. But
you must not use the `eval` function to parse
JSON objects in Javascript; even with the regular expression
filter from RFC 4627, there are still information leaks
remaining. JSON-based formats can still turn out risky if they
serve as an encoding form for any if the serialization
frameworks listed above.
For serialization in C and C++ projects, the Protocol Buffers serialization
([package]*protobuf*) provides type safe automated serialization
by relying on code generation. It is positioned as similar, but simpler and
more efficient to XML serialization.
[[sect-Defensive_Coding-Tasks-Serialization-XML]] [[sect-Defensive_Coding-Tasks-Serialization-XML]]
== XML Serialization == XML Serialization