Custom JSON Deserialization
Description
The use of `json_create` class method implies custom JSON deserialization, which can lead to Remote Code Execution (RCE) and other deserialization-type bugs. Usage should be audited and, at least, fuzzed.
Examples
Insecure Code
ruby
class User
def self.json_create(object)
# deserialization code
end
endSecure Code
ruby
class User
def self.safe_json_create(object)
# safe deserialization code
end
endRemediation
Audit and fuzz the usage of `json_create` method to ensure it does not deserialize untrusted data. Consider using safe deserialization methods.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0798 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | LOW |
| Exploitability | COMPLEX |
| Tags | deserialization, RCE |
| OWASP | N/A |
References
- https://github.blog/2024-06-20-execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/
- https://github.com/github/codeql/blob/main/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
- https://stackoverflow.com/questions/17226402/whats-the-difference-between-json-load-and-json-parse-methods-of-ruby-lib