Notes posted by joels

RSS feed
January 6, 2016
0 thanks

What about Marshal remote code execution risks?

Good suggestion about using Marshal to avoid cycles, astgtciv, but what about the security risks of doing that?

See http://ruby-doc.org/core-2.2.2/Marshal.html where it states:

By design, ::load can deserialize almost any class loaded into the Ruby process. In many cases this can lead to remote code
execution if the Marshal data is loaded from an untrusted source.

As a result, ::load is not suitable as a general purpose serialization format and you should never unmarshal user supplied input or other
untrusted data.

If you need to deserialize untrusted data, use JSON or another serialization format that is only able to load simple,primitive’ types such
as String, Array, Hash, etc. Never allow user input to specify arbitrary types to deserialize into.