Rust serialization / deserialization vs RCE / DOS attacks

#1
  1. This is a followup to Serde guarantees on malicious input? .

  2. Here’s the situation: I’m writing a webapp in Rust, for both client side and server side.

  3. I want some library where I can take arbitrary Rust struct, add some derive to it, and get serialization / deserialization for free.

  4. At the same time, attackers may send malicious strings – so I need the auto derived deserialization to be safe vs buffer overflows / remote code execution / + some type of defense versus Denial of Service (oh hey, this item has array of 1,000,000,000 floats).

  5. Advice? What is standard practice for this?

0 Likes

#2

I’m pretty sure Serde already fits that description. Bugs have been found in serde, as they are with any piece of software, but it is supposed to be robust in the face of malicious input. Serde is certainly being exposed to the wide internet in crates.io.

1 Like