Untrusted Deserialization High

Object deserialized from potentially dangerous source. This could overload a system with a denial of service attack, or execute remote code to control a system.

Detector ID
ruby/untrusted-deserialization@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-

Noncompliant example

1def handler_noncompliant(event:, context:)
2  foobar = event['smth']
3  # Noncompliant: tainted data passed inside `CSV.load()`.
4  obj3 = CSV.load("o:" + event['data'])
5end

Compliant example

1def handler_compliant(event:, context:)
2  # Compliant: no tainted data passed inside `CSV.load()`.
3  obj3 = CSV.load(get_safe_data())
4end