Examples of errors detected by the V5611 diagnostic
V5611. OWASP. Potential insecure deserialization vulnerability. Potentially tainted data is used to create an object using deserialization.
Power-Fx
V5611 [CWE-502, OWASP-1.5.2, OWASP-5.5.3] Possible insecure deserialization. Potentially tainted data in the 'json' variable is used to deserialize an object. EngineSchemaChecker.cs 31
public static void Check(Engine engine, string pathInput)
{
EngineSchema schema;
if (pathInput != null)
{
var json = File.ReadAllText(pathInput);
schema = JsonSerializer.Deserialize<EngineSchema>(json);
}
....
}
Similar errors can be found in some other places:
- V5611 [CWE-502, OWASP-1.5.2, OWASP-5.5.3] Possible insecure deserialization. Potentially tainted data in the 'expected' variable is used to deserialize an object. FormulaTypeSerializerSnapshotTests.cs 62