Unsafe Deserialization from YAML
Description
The `load` method provided by Ruby's YAML module can be dangerous when used to deserialize data from untrusted sources, leading to remote code execution (RCE) if the input contains malicious code.
Examples
Insecure Code
ruby
YAML.load(user_input)Secure Code
ruby
YAML.safe_load(user_input, [Date, Time], [], true)Remediation
Use `YAML.safe_load` instead of `YAML.load` to limit the objects that can be deserialized, reducing the risk of executing arbitrary code.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0526 |
| Category | Deserialization |
| Severity | CRITICAL |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | deserialization, yaml, ruby |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |
References
- https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/bad-deserialization-yaml.yaml