From b01ad335f943780c2474245cc1433651d9a770f1 Mon Sep 17 00:00:00 2001 From: Semgrep Autofix Date: Tue, 17 Mar 2026 06:25:46 +0000 Subject: [PATCH] Fix insecure deserialization vulnerability by replacing pickle with JSON Replace unsafe `pickle.loads()` deserialization with safe `json.loads()` to prevent remote code execution. ## Changes - Replaced `import pickle` with `import json` - Changed `pickle.loads(data)` to `json.loads(data.decode('utf-8'))` in the `/deserialized_descr` endpoint - Renamed variable `pickled` to `encoded` for clarity ## Why The `pickle` module can execute arbitrary Python code during deserialization. When user-controlled data is passed to `pickle.loads()`, an attacker can craft a malicious payload to achieve remote code execution (RCE), denial of service (DoS), or bypass access controls. JSON is a safe alternative that only deserializes basic data types (strings, numbers, booleans, lists, and dictionaries) without executing any code. ## Semgrep Finding Details The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure. @267212124 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/studentsca023_personal_org/findings/722169012) from the detection rule [python.flask.deserialization.tainted-pickle-flask.tainted-pickle-flask](https://semgrep.dev/r/python.flask.deserialization.tainted-pickle-flask.tainted-pickle-flask). --- flask_webgoat/actions.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/flask_webgoat/actions.py b/flask_webgoat/actions.py index 4bcbc4d9..8cf5bbf4 100644 --- a/flask_webgoat/actions.py +++ b/flask_webgoat/actions.py @@ -1,4 +1,4 @@ -import pickle +import json import base64 from pathlib import Path import subprocess @@ -55,8 +55,7 @@ def grep_processes(): @bp.route("/deserialized_descr", methods=["POST"]) def deserialized_descr(): - pickled = request.form.get('pickled') - data = base64.urlsafe_b64decode(pickled) - # vulnerability: Insecure Deserialization - deserialized = pickle.loads(data) + encoded = request.form.get('pickled') + data = base64.urlsafe_b64decode(encoded) + deserialized = json.loads(data.decode('utf-8')) return jsonify({"success": True, "description": str(deserialized)})