-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUnsafeDeserialization.qhelp
More file actions
97 lines (87 loc) · 4.02 KB
/
UnsafeDeserialization.qhelp
File metadata and controls
97 lines (87 loc) · 4.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
Deserializing untrusted data using any method that allows the construction of
arbitrary objects is easily exploitable and, in many cases, allows an attacker
to execute arbitrary code.
</p>
<p>
Note that a deserialization method is only dangerous if it can instantiate
arbitrary classes or objects. Serialization frameworks that use a schema to instantiate
only expected, predefined types are generally not tracked by this query. Such
frameworks are generally safe with respect to arbitrary-class-instantiation and
gadget-chain attacks when the schema is trusted and does not permit
user-controlled type resolution. However, care must be taken to ensure the schema
strictly limits the allowed types. Permitting common standard library classes
can still leave the application vulnerable to gadget-chain attacks.
</p>
</overview>
<recommendation>
<p>
Avoid deserialization of untrusted data if possible. If the architecture permits
it, use serialization formats that cannot represent arbitrary objects. For
libraries that support it, such as the Ruby standard library's <code>JSON</code>
module, ensure that the parser is configured to disable
deserialization of arbitrary objects.
</p>
<p>
If deserializing an untrusted YAML document using the <code>psych</code> gem,
prefer the <code>safe_load</code> and <code>safe_load_file</code> methods over
<code>load</code> and <code>load_file</code>, as the former will safely
handle untrusted data. Avoid passing untrusted data to the <code>load_stream</code>
method. In <code>psych</code> version 4.0.0 and above, the <code>load</code> method can
safely be used.
</p>
<p>
If deserializing an untrusted XML document using the <code>ox</code> gem,
do not use <code>parse_obj</code> and <code>load</code> using the non-default :object mode.
Instead use the <code>load</code> method in the default mode or better explicitly set a safe
mode such as :hash.
</p>
<p>
To safely deserialize <a href="https://en.wikipedia.org/wiki/Property_list">Property List</a>
files using the <code>plist</code> gem, ensure that you pass <code>marshal: false</code>
when calling <code>Plist.parse_xml</code>.
</p>
</recommendation>
<example>
<p>
The following example calls the <code>Marshal.load</code>,
<code>JSON.load</code>, <code>YAML.load</code>, <code>Oj.load</code> and <code>Ox.parse_obj</code>
methods on data from an HTTP request. Since these methods are capable of deserializing
to arbitrary objects, this is inherently unsafe.
</p>
<sample src="examples/UnsafeDeserializationBad.rb"/>
<p>
Using <code>JSON.parse</code> and <code>YAML.safe_load</code> instead, as in the
following example, removes the vulnerability. Similarly, calling
<code>Oj.load</code> with any mode other than <code>:object</code> is safe, as
is calling <code>Oj.safe_load</code>. Note that there is no safe way to deserialize
untrusted data using <code>Marshal</code>.
</p>
<sample src="examples/UnsafeDeserializationGood.rb"/>
</example>
<references>
<li>
OWASP vulnerability description:
<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">deserialization of untrusted data</a>.
</li>
<li>
Ruby documentation: <a href="https://docs.ruby-lang.org/en/3.0.0/doc/security_rdoc.html">guidance on deserializing objects safely</a>.
</li>
<li>
Ruby documentation: <a href="https://ruby-doc.org/core-3.0.2/Marshal.html#module-Marshal-label-Security+considerations">security guidance on the Marshal library</a>.
</li>
<li>
Ruby documentation: <a href="https://ruby-doc.org/stdlib-3.0.2/libdoc/json/rdoc/JSON.html#method-i-load">security guidance on JSON.load</a>.
</li>
<li>
Ruby documentation: <a href="https://ruby-doc.org/stdlib-3.0.2/libdoc/yaml/rdoc/YAML.html#module-YAML-label-Security">security guidance on the YAML library</a>.
</li>
<li>
You can read that how unsafe yaml load methods can lead to code executions:
<a href="https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html">Universal Deserialisation Gadget for Ruby 2.x-3.x </a>.
</li>
</references>
</qhelp>