\n
\n
![\"Github:](\"https:\/\/image.blockchain.news:443\/features\/24B6EBDC6093F0C1F639A6A7DA12473E2D2C5C390185833B0F398CC7FCE1368C.jpg\")
\n
\n <\/a>
\n <\/figure>\n
Unsafe deserialization vulnerabilities in Ruby projects can enable attackers to execute arbitrary commands on remote servers by sending JSON data. According to The GitHub Blog<\/a>, these vulnerabilities occur when the deserialization process allows the instantiation of arbitrary classes or class-like structures specified in the serialized data.<\/p>\n In Ruby, unsafe deserialization vulnerabilities are often exploited through libraries that support polymorphism, such as the Oj JSON serialization library. Attackers can chain multiple classes together to execute code on the system under attack. These classes, known as gadgets, are combined into a gadget chain to form a larger exploit.<\/p>\n For instance, when using the Oj library for deserializing JSON, a project can be vulnerable if it includes a construct like:<\/p>\n The Oj library, by default, supports the instantiation of classes specified in JSON, which can be disabled by using To demonstrate how this works, consider a class named A JSON payload to instantiate this class might look like:<\/p>\n Loading this JSON with This would execute the command specified in the To detect unsafe deserialization vulnerabilities, one can build a detection gadget chain. For example, a class like The detection gadget can also be extended to a full-fledged remote code execution (RCE) chain. This involves using classes and methods that are part of Ruby or its dependencies to execute arbitrary commands.<\/p>\n To prevent such vulnerabilities, it is crucial to use safe deserialization methods. For example, using For developers with access to the source code, GitHub\u2019s code scanning with CodeQL can identify unsafe deserialization sinks. If the source code is not accessible, detection gadgets can be used to identify vulnerabilities remotely.<\/p>\n Understanding how unsafe deserialization works and implementing secure coding practices can help avoid these vulnerabilities. For more detailed examples and detection methodologies, refer to the original blog post<\/a> by The GitHub Blog.<\/p>\nHow Unsafe Deserialization Works<\/h2>\n
data = Oj.load(untrusted_json)<\/code><\/pre>\nOj.safe_load<\/code> instead.<\/p>\nSimpleClass<\/code> with a hash<\/code> method that executes a command:<\/p>\nclass SimpleClass
\n def initialize(cmd)
\n @cmd = cmd
\n end
\n
\n def hash
\n system(@cmd)
\n end
\nend<\/code><\/pre>\n{
\n \"^o\": \"SimpleClass\",
\n \"cmd\": \"open -a calculator\"
\n}<\/code><\/pre>\nOj.load<\/code> would not trigger the hash<\/code> method directly, but placing the class inside a hash as the key can trigger the method:<\/p>\nOj.load(json_payload)<\/code><\/pre>\n@cmd<\/code> member variable.<\/p>\nBuilding a Detection Gadget<\/h2>\n
Gem::Requirement<\/code> can be used, which has a hash<\/code> method that calls to_s<\/code> on an internal member. By creating a suitable JSON payload, one can trigger this chain to detect vulnerabilities.<\/p>\nPreventing Unsafe Deserialization<\/h2>\n
Oj.safe_load<\/code> instead of Oj.load<\/code> can prevent the instantiation of arbitrary classes. Additionally, tools like CodeQL can help detect unsafe deserialization by analyzing the source code for vulnerable patterns.<\/p>\n