Unsafe YAML Deserialization
Description
The use of `unsafe_load` from the YAML library can lead to deserialization bugs and remote code execution (RCE). This is because `unsafe_load` can instantiate arbitrary Ruby objects, allowing an attacker to execute malicious code.
Examples
Insecure Code
ruby
YAML.unsafe_load(user_input)Secure Code
ruby
YAML.safe_load(user_input, permitted_classes: [Symbol], aliases: true)Remediation
Use the `safe_load` method instead of `unsafe_load` to prevent deserialization of untrusted data. Ensure that all data being loaded is trusted or properly sanitized.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0499 |
| Category | Deserialization |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | deserialization, RCE |
| OWASP | N/A |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/bad-deserialization-yaml.yaml
- https://bishopfox.com/blog/ruby-vulnerabilities-exploits