Class: RuboCop::Cop::Airbnb::UnsafeYamlMarshal
- Inherits:
-
Base
- Object
- Base
- RuboCop::Cop::Airbnb::UnsafeYamlMarshal
- Defined in:
- lib/rubocop/cop/airbnb/unsafe_yaml_marshal.rb
Overview
Disallow use of YAML/Marshal methods that can trigger RCE on untrusted input
Constant Summary collapse
- MSG =
'Using unsafe YAML parsing methods on untrusted input can lead ' \ 'to remote code execution. Use `safe_load`, `parse`, `parse_file`, or ' \ '`parse_stream` instead'.freeze
- RESTRICT_ON_SEND =
%i(load load_documents load_file load_stream).freeze
Instance Method Summary collapse
Instance Method Details
#check_marshal(node) ⇒ Object
34 35 36 37 38 39 40 41 42 |
# File 'lib/rubocop/cop/airbnb/unsafe_yaml_marshal.rb', line 34 def check_marshal(node) return unless node.receiver.const_name == 'Marshal' return unless node.method?(:load) = 'Using `Marshal.load` on untrusted input can lead to remote code execution. ' \ 'Restructure your code to not use Marshal' add_offense(node, message: ) end |
#check_yaml(node) ⇒ Object
23 24 25 26 27 28 29 30 31 32 |
# File 'lib/rubocop/cop/airbnb/unsafe_yaml_marshal.rb', line 23 def check_yaml(node) const_name = node.receiver.const_name return unless ['YAML', 'Psych'].include?(const_name) = "Using `#{const_name}.#{node.method_name}` on untrusted input can lead " \ "to remote code execution. Use `safe_load`, `parse`, `parse_file`, or " \ "`parse_stream` instead" add_offense(node, message: ) end |
#on_send(node) ⇒ Object
11 12 13 14 15 16 17 18 19 20 21 |
# File 'lib/rubocop/cop/airbnb/unsafe_yaml_marshal.rb', line 11 def on_send(node) return if node.receiver.nil? return unless node.receiver.const_type? check_yaml(node) check_marshal(node) rescue => e puts e puts e.backtrace raise end |