Serializable Class Containing Sensitive Data

ID

go.serializable_class_containing_sensitive_data

Severity

low

Resource

Information Leak

Language

Go

Tags

CWE:499, NIST.SP.800-53

Description

Serializable class containing sensitive data.

Rationale

When a serializable type contains sensitive data it can lead to exposure of this sensitive information.

Consider the following Golang class example:

package serializable_class_containing_sensitive_data

type User struct { // FLAW
	ID         uint    `json:"id"; gorm:"primary_key"`
	Username   string  `json:"username"; gorm:"unique"`
	Password   string  `json:"password"`
	FirstName  string  `json:"firstname"`
	LastName   string  `json:"lastname"`
	Scores     []Score `json:"scores"`
	TotalScore uint    `json:"totalscore"`
	Admin      bool    `json:"admin"; gorm:"false"`
}

In this scenario, User is serializable and directly stores sensitive data such as a password. The password might be exposed in transit or when stored, leading to potential data breaches if intercepted by an attacker.

Remediation

Configuration

/common/serializable_class_containing_sensitive_data.adoc[tag=remediation]

The detector has the following configurable parameters:

  • sensitiveKinds, the sensitive data kinds that are going to be reported by this detector.

References

  • CWE-499 : Serializable Class Containing Sensitive Data.