AWS logo
Amazon QDetector Library

Deserialization of untrusted object High

Deserialization of untrusted or potentially malformed data can be exploited for denial of service or to induce running untrusted code.

Detector ID
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def untrusted_deserialization_noncompliant():
2    import jsonpickle
3    userobj = input("user")
4    # Noncompliant: Untrusted object deserialized without validation.
5    obj = jsonpickle.decode(userobj)
6    return obj

Compliant example

1def untrusted_deserialization_compliant():
2    import jsonpickle
3    userobj = input("user")
4    allowed_user_obj = ['example_module1', 'example_module2']
5    # Compliant: Untrusted object is validated before deserialization.
6    if userobj in allowed_user_obj:
7        obj = jsonpickle.decode(userobj)
8        return obj