mcp-server-semgrep/semgrep-rules/java/lang/security/audit/object-deserialization.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: object-deserialization
  metadata:
    cwe:
    - 'CWE-502: Deserialization of Untrusted Data'
    owasp:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures
    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION
    references:
    - https://www.owasp.org/index.php/Deserialization_of_untrusted_data
    - https://www.oracle.com/java/technologies/javase/seccodeguide.html#8
    category: security
    technology:
    - java
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - audit
    likelihood: LOW
    impact: HIGH
    confidence: LOW
  message: >-
    Found object deserialization using ObjectInputStream. Deserializing entire
    Java objects is dangerous because malicious actors can create Java object
    streams with unintended consequences. Ensure that the objects being deserialized
    are not user-controlled. If this must be done, consider using HMACs to sign
    the data stream to make sure it is not tampered with, or consider only
    transmitting object fields and populating a new object.
  severity: WARNING
  languages:
  - java
  pattern: new ObjectInputStream(...);