Insecure Deserialization in Chi with Api Keys

Insecure deserialization occurs when an application accepts and processes serialized data without sufficient integrity checks. In a Chi application that relies on API keys for routing or authorization, combining deserialization endpoints with key handling can amplify risk. Chi is a lightweight routing library for Clojure, and developers often use it to define routes that parse request bodies, headers, and query parameters. If a route deserializes untrusted input—such as JSON, MessagePack, or serialized Java objects—and also uses API keys for access control, an attacker may exploit the deserialization path to bypass or misuse key validation.

For example, if an endpoint accepts serialized objects and reconstructs them without validating structure or type, an attacker can craft malicious payloads that execute code or alter control flow. When API keys are processed after deserialization, malicious objects might mutate or replace key variables, or the deserialization routine might be tricked into treating attacker-controlled data as trusted authorization metadata. Even when keys are read from headers before deserialization, poor isolation between parsing and authorization logic can allow an attacker to smuggle key-like values inside serialized structures that later override expected behavior.

Chi routes do not enforce any built-in deserialization safeguards; they rely on the underlying libraries and developer code. If deserialization is performed using functions that reconstruct objects with user-defined class resolutions (e.g., Java serialization or certain Clojure data readers), an attacker can trigger gadget chains that execute arbitrary code. This becomes especially dangerous when API keys are used to gate sensitive endpoints, because a successful deserialization exploit may allow an attacker to execute logic under the context of a privileged key without ever knowing the key value.

Real-world attack patterns mirror known CVEs in related ecosystems, such as gadget chains in Java deserialization (CVE-2015-4852) and unsafe Clojure data reading. The presence of API keys does not mitigate these issues; instead, it raises the impact because compromising a key can lead to unauthorized access across protected routes. Therefore, any Chi route that both handles API keys and deserializes input must treat deserialization as a high-risk operation and isolate it from authorization logic.

To secure a Chi application that uses API keys, ensure deserialization never occurs on untrusted data, and strictly separate authorization from object reconstruction. Prefer schema-validated parsing with whitelisted types, and avoid general-purpose deserializers for user input. Below are concrete code examples that demonstrate safe practices.

Example 1: Safe key extraction and validated JSON parsing

Read the API key from headers early, and parse the body using a schema-validated library that does not invoke arbitrary class construction.

(ns myapp.routes
  (:require [compojure.core :refer [GET POST defroutes]]
            [cheshire.core :as json])
  (:import (java.util UUID)))

(defn extract-api-key [request]
  (get-in request [:headers "x-api-key"]))

(defn validate-and-parse-body [body]
  ;; Use a schema-aware parser; do not use read-string or Java serialization
  (try
    (json/parse-string body true)
    (catch Exception e
      (throw (ex-info "Invalid JSON" {:status 400})))))

(defroutes app-routes
  (POST "/secure" request
    (let [api-key (extract-api-key request)
          body-payload (validate-and-parse-body (:body request))]
      (if (not= api-key (System/getenv "EXPECTED_API_KEY"))
        {:status 401 :body {:error "unauthorized"}}
        ;; Proceed with validated data, no deserialization of untrusted structures
        {:status 200 :body {:received (select-keys body-payload [:name :action])}}))))

Example 2: Avoiding dangerous deserialization in middleware

If you must process serialized formats, use hardened libraries and disable class resolution. Never pass user input to functions that reconstruct objects with full classpath resolution.

(ns myapp.middleware
  (:require [cheshire.core :as json])
  (:import (com.fasterxml.jackson.databind ObjectMapper)
           (com.fasterxml.jackson.databind.cfg DeserializationFeature)))

(defn safe-jackson-mapper []
  (doto (ObjectMapper.)
    (.disable DeserializationFeature/FAIL_ON_UNKNOWN_PROPERTIES)
    ;; Ensure no Java object deserialization is enabled
    (.activateDefaultTypingAsProperty nil com.fasterxml.jackson.databind.jsontype.impl.TypeNameResolver$NO_TYPE_NAME "@class")))

(def ^:private mapper (safe-jackson-mapper))

(defn safe-deserialize [json-str]
  ;; Only map to simple maps and known data classes; no generic readValue
  (.readValue mapper json-str (type {})))

Example 3: API key validation before any processing

Fail fast: validate the API key before parsing or deserializing any body content to reduce the attack surface.

(defn authorized? [request]
  (= (get-in request [:headers "x-api-key"])
     (System/getenv "EXPECTED_API_KEY")))

(defroutes app-routes
  (POST "/resource" request
    (if (not (authorized? request))
      {:status 401 :body {:error "invalid key"}}
      (let [body-map (safe-deserialize (:body request))]
        {:status 200 :body (process body-map)}))))

In summary, remediate by extracting API keys early, using schema-based parsing instead of generic deserialization, and ensuring that no user-controlled data reaches object reconstruction routines. These steps reduce the risk of insecure deserialization while preserving the intended use of API keys for access control.