class Railroader::CheckDeserialize
Public Instance Methods
check_csv()
click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 18 def check_csv check_methods :CSV, :load end
check_deserialize(result, target, arg = nil)
click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 32 def check_deserialize result, target, arg = nil return unless original? result arg ||= result[:call].first_arg method = result[:call].method if input = has_immediate_user_input?(arg) confidence = :high elsif input = include_user_input?(arg) confidence = :medium end if confidence message = "#{target}.#{method} called with #{friendly_type_of input}" warn :result => result, :warning_type => "Remote Code Execution", :warning_code => :unsafe_deserialize, :message => message, :user_input => input, :confidence => confidence, :link_path => "unsafe_deserialization" end end
check_marshal()
click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 22 def check_marshal check_methods :Marshal, :load, :restore end
check_methods(target, *methods)
click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 26 def check_methods target, *methods tracker.find_call(:target => target, :methods => methods).each do |result| check_deserialize result, target end end
check_yaml()
click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 14 def check_yaml check_methods :YAML, :load, :load_documents, :load_stream, :parse_documents, :parse_stream end
run_check()
click to toggle source
# File lib/railroader/checks/check_deserialize.rb, line 8 def run_check check_yaml check_csv check_marshal end