Insecure Deserialization
Need
To protect against unauthorized control of application execution flow
Context
- Usage of Elixir for building scalable and fault-tolerant applications
- Usage of Elixir Phoenix for building web applications
- Usage of serialization/deserialization libraries for handling serialized objects from untrusted sources
Description
Non compliant code
defmodule VulnerableApp.WebController do
use VulnerableApp.Web, :controller
def deserialize(conn, _params) do
{:ok, params} = Poison.decode(conn.params["payload"])
process_params(params)
end
defp process_params(params) do
# Handle params...
end
end
The following Elixir code deserializes an incoming object from an untrusted source without validating or casting it. This leaves the application open to manipulation from an attacker.
Steps
- Use a library such as
jason
to validate the structure of the incoming serialized object. - Only deserialize the object if it meets the expected properties.
Compliant code
defmodule SecureApp.WebController do
use SecureApp.Web, :controller
def deserialize(conn, _params) do
case Jason.decode(conn.params["payload"]) do
{:ok, params} when is_map(params) ->
process_params(params)
_ ->
{:error, "Invalid payload"}
end
end
defp process_params(params) do
# Handle params...
end
end
The following Elixir code deserializes an incoming object from an untrusted source but first validates it. This prevents an attacker from manipulating the execution flow of the application.