Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always warn about deserializing with Marshal #1902

Merged
merged 1 commit into from
Dec 30, 2024
Merged

Always warn about deserializing with Marshal #1902

merged 1 commit into from
Dec 30, 2024

Conversation

presidentbeef
Copy link
Owner

A little bit noisy, but people probably want to know about uses of Marshal.load in their applications.

Low confidence, so easily ignored with --confidence-level 2.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Dec 30, 2024
edited
Loading

DryRun Security Summary

The pull request enhances security testing in a Ruby on Rails application by introducing new test cases and updates to the Brakeman security scanner to detect potential vulnerabilities related to dynamic code evaluation and unsafe deserialization.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security testing of a Ruby on Rails application. The changes introduce new test cases that target potential security vulnerabilities related to dynamic code evaluation and unsafe deserialization.

The key security-related changes include:

  1. Dangerous Eval: The code includes test cases that check for the use of dynamic code evaluation using eval and instance_eval, which can lead to remote code execution vulnerabilities if user input is not properly sanitized.

  2. Unsafe Deserialization: A new test case has been added to check for the use of Marshal.load, which can also lead to remote code execution vulnerabilities if the input data is not properly validated.

Additionally, the changes include updates to the Brakeman security scanner's CheckDeserialize module, which aims to provide more comprehensive detection of unsafe deserialization vulnerabilities, including those involving YAML, CSV, and Oj deserialization.

Overall, these changes demonstrate a focus on improving the security testing and vulnerability detection capabilities of the Rails application, which is a crucial aspect of maintaining a secure application.

Files Changed:

  1. test/tests/rails8.rb: This file contains new test cases that target potential security vulnerabilities related to dynamic code evaluation and unsafe deserialization.
  2. lib/brakeman/checks/check_deserialize.rb: This file is part of the Brakeman security scanner and has been updated to improve the detection of unsafe deserialization vulnerabilities.
  3. test/apps/rails8/app/controllers/application_controller.rb: This file contains a new method, deserialize_it, that uses the potentially unsafe Marshal.load() function to deserialize data. This should be reviewed and addressed to mitigate the risk of deserialization attacks.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@presidentbeef presidentbeef force-pushed the update_deserialize_check branch from 5bf7e13 to aadca79 Compare December 30, 2024 01:25
@presidentbeef presidentbeef force-pushed the update_deserialize_check branch from aadca79 to f891743 Compare December 30, 2024 01:31
@presidentbeef presidentbeef merged commit 5f37891 into main Dec 30, 2024
18 checks passed
@presidentbeef presidentbeef deleted the update_deserialize_check branch December 30, 2024 02:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@presidentbeef