Deserialization of untrusted data
Description
In Ruby, objects can be serialized into strings using various methods and later reconstituted into objects. The `load` and `object_load` methods, associated with modules like Marshal and CSV, are particularly risky when used to deserialize data from untrusted sources. If an attacker is able to manipulate the serialized data, they could execute arbitrary code on the system when the data is deserialized. This vulnerability can lead to remote code execution (RCE), where an attacker gains the ability to execute commands on the host machine.
Examples
Insecure Code
ruby
Marshal.load(request.env)Secure Code
ruby
JSON.parse(json_data, symbolize_names: true)Remediation
Avoid deserializing from untrusted sources and use JSON for serialization/deserialization instead. Validate and sanitize the input before deserialization.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0525 |
| Category | Deserialization |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | insecure deserialization, remote code execution |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |
References
- https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/bad-deserialization-env.yaml