Deserialization of Untrusted Data

scala.xml.scala_xml_rule_apachexmlrpc

Severity

low

Resource

Xml

Language

Scala

Description

Enabling extensions in Apache XML RPC server or client can lead to deserialization vulnerability which would allow an attacker to execute arbitrary code.

Rationale

Enabling extensions in Apache XML RPC server or client can lead to deserialization vulnerability which would allow an attacker to execute arbitrary code.

The following code illustrates a vulnerable pattern detected by this rule:

def createClientAndServerConfigs(): Unit = {
  val serverConfig = new XmlRpcServerConfigImpl
  val clientConfig = new XmlRpcClientConfigImpl
  val trueValue = true
  // VULNERABLE: Deserialization of Untrusted Data
  clientConfig.setEnabledForExtensions(true) // BAD
  // VULNERABLE: Deserialization of Untrusted Data
  clientConfig.setEnabledForExtensions(trueValue)
  // VULNERABLE: Deserialization of Untrusted Data
  serverConfig.setEnabledForExtensions(true)
  // VULNERABLE: Deserialization of Untrusted Data
  serverConfig.setEnabledForExtensions(trueValue)
  val falseValue = false

  clientConfig.setEnabledForExtensions(false) // GOOD
  clientConfig.setEnabledForExtensions(falseValue)
  serverConfig.setEnabledForExtensions(false)
  serverConfig.setEnabledForExtensions(falseValue)
  val randomFlagForServer = 0 < 0.5
  serverConfig.setEnabledForExtensions(randomFlagForServer)
  val randomFlagForClient = Math.random < 0.5
  clientConfig.setEnabledForExtensions(randomFlagForClient)
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-502
OWASP Top 10 2021 - A05 : Security Misconfiguration.