Skip to main content

Insecure Deserialization

Need

To protect against unauthorized control of application execution flow

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Elixir Phoenix for building web applications
  • Usage of serialization/deserialization libraries for handling serialized objects from untrusted sources

Description

Non compliant code

defmodule VulnerableApp.WebController do
  use VulnerableApp.Web, :controller

  def deserialize(conn, _params) do
    {:ok, params} = Poison.decode(conn.params["payload"])
    process_params(params)
  end

  defp process_params(params) do
    # Handle params...
  end
end

The following Elixir code deserializes an incoming object from an untrusted source without validating or casting it. This leaves the application open to manipulation from an attacker.

Steps

  • Use a library such as jason to validate the structure of the incoming serialized object.
  • Only deserialize the object if it meets the expected properties.

Compliant code

defmodule SecureApp.WebController do
  use SecureApp.Web, :controller

  def deserialize(conn, _params) do
    case Jason.decode(conn.params["payload"]) do
      {:ok, params} when is_map(params) ->
        process_params(params)
      _ ->
        {:error, "Invalid payload"}
    end
  end

  defp process_params(params) do
    # Handle params...
  end
end

The following Elixir code deserializes an incoming object from an untrusted source but first validates it. This prevents an attacker from manipulating the execution flow of the application.

References

Last updated on