Home > Blockchain >  How to resolve "Deserialization of Untrusted Data" error reported by Checkmarx scan issue
How to resolve "Deserialization of Untrusted Data" error reported by Checkmarx scan issue

Time:02-16

I have integrated Checkmarx scan tool with Azure DevOps pipeline. I am getting high risk results after running the ASP.Net Core Web API related pipeline. I have tried multiple approaches and run the pipeline. Still now there is no luck. Could you please help me to resolve the issue?

C# Code:

Uri requestUri = new Uri("https://webapi.com/token");
HttpContent httpContent = new StringContent(System.Text.Json.JsonSerializer.Serialize(new { access_token = accessToken }), Encoding.UTF8, "application/json");
var result = await client.PostAsync(requestUri, httpContent);
if (result != null && result.IsSuccessStatusCode)
{
  var content = await result.Content.ReadAsStreamAsync();
  var authResponse = await System.Text.Json.JsonSerializer.DeserializeAsync<TokenResponse>(content);
  var authToken = authResponse.AuthenticationToken;
}

TokenResponse.cs:

class TokenResponse
{
  public string AuthenticationToken { get; set; }
}

Error Message:

The serialized object PostAsync processed in async in the file at line 42 is deserialized by DeserializeAsync in the file at line 46.

CodePudding user response:

Checkmarx does not recognize JsonSerializer as a safe deserializer. You will have to overwrite the Checkmarx Query to include JsonSerializer as one of the sanitizers using Checkmarx CxAudit OR if you do not have CxAudit, you will have to argue with your AppSec team that this should be marked as not exploitable as per System.Text.Json Threat Model:

Mitigation

Serialization and deserialization of System.Type instances is not supported by JsonSerializer by default. A custom converter can be implemented to handle System.Type instances, but care should be taken to avoid processing untrusted data.

https://github.com/dotnet/runtime/blob/main/src/libraries/System.Text.Json/docs/ThreatModel.md

  • Related