class Railroader::CheckDeserialize

Public Instance Methods

check_csv() click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 18
def check_csv
  check_methods :CSV, :load
end
check_deserialize(result, target, arg = nil) click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 32
def check_deserialize result, target, arg = nil
  return unless original? result

  arg ||= result[:call].first_arg
  method = result[:call].method

  if input = has_immediate_user_input?(arg)
    confidence = :high
  elsif input = include_user_input?(arg)
    confidence = :medium
  end

  if confidence
    message = "#{target}.#{method} called with #{friendly_type_of input}"

    warn :result => result,
      :warning_type => "Remote Code Execution",
      :warning_code => :unsafe_deserialize,
      :message => message,
      :user_input => input,
      :confidence => confidence,
      :link_path => "unsafe_deserialization"
  end
end
check_marshal() click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 22
def check_marshal
  check_methods :Marshal, :load, :restore
end
check_methods(target, *methods) click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 26
def check_methods target, *methods
  tracker.find_call(:target => target, :methods => methods).each do |result|
    check_deserialize result, target
  end
end
check_yaml() click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 14
def check_yaml
  check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream
end
run_check() click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 8
def run_check
  check_yaml
  check_csv
  check_marshal
end