Serde guarantees on malicious input?


Does serde make any guarantees on malicious input?

Suppose I’m running a rust server which uses serde to deserialize some input.

Suppose some attacker constructs malicious string, is it possible for it to trick serde to do arbitrary code execution, or does serde just return an Error in that case?

1 Like

This is a good question. I am in no way related to serde, so don’t take this for a final answer, but the way I understand it, either the data fit’s the type to which you deserialize (it’s valid) or serde should err out of deserialization.

Apart from code review, a good way to poke at this is fuzz testing. There are several tools for rust fuzz testing, which would allow you to try for yourself.

If you find any crashes in serde, you can report them here:

By the looks of it several bugs have been found in serde already thanks to fuzz testing.

Rust serialization / deserialization vs RCE / DOS attacks

It think that doesn’t depend on serde itself, but the specific format parser you use with it (so e.g. serde_json).

Parsers written in safe Rust shouldn’t have problems with RCE, but you’d need to review the code to be sure.

A thing to watch for is denial of service by exhausting memory. Binary file formats may have things like array lengths, and a naive parser could be tricked into pre-allocating too much memory for them.