Avoiding selection of arbitrary classes is key to CWE 502, but also the bounding of arrays and strings (which are a specialized form of array). Consider attacks based on messages with intentionally large number of objects. Before that message is unpacked you need to know that the object count is reasonable. Is that possible today?
On Wednesday, January 13, 2021 at 3:44:17 PM UTC-5 Eric Anderson wrote: > On Wed, Jan 13, 2021 at 4:47 AM Tom Hintz <[email protected]> wrote: > >> What infrastructure is available to validate gRPC messages prior to >> deserialization to protect against CWE-502 attacks? Reference: >> >> MITRE CWE-502 Description >> <https://cwe.mitre.org/data/definitions/502.html> >> > > I wouldn't say there is any general support to manage attacks like that, > because you shouldn't be using such marshalling formats unless you trust > the remote. Protobuf, JSON (depending on parser), Flatbuffers, etc are much > more restricted than Java serialization and Python pickle and don't allow > specifying arbitrary classes. > > Some languages may have APIs that would let you do some validation if you > were so inclined. For example, in Java you could use an interceptor along > with ServerInterceptors.useInputStreamMessages() > <https://grpc.github.io/grpc-java/javadoc/io/grpc/ServerInterceptors.html#useInputStreamMessages-io.grpc.ServerServiceDefinition-> > so > that the interceptor observes the message before it is deserialized. But > solutions like that are very language-specific. Obviously a proxy would be > a cross-language solution. > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/cc61cd2e-e9ef-468d-b85b-3cf11aa962e8n%40googlegroups.com.
