Class: Spektr::Checks::Deserialize

Inherits:

Base

• Object
• Base
• Spektr::Checks::Deserialize

Defined in:

lib/spektr/checks/deserialize.rb

Instance Attribute Summary

Attributes inherited from Base

#name

Instance Method Summary

• #check_csv ⇒ Object
• #check_marshal ⇒ Object
• #check_method(method, receiver) ⇒ Object
• #check_oj ⇒ Object
• #check_yaml ⇒ Object

  TODO: handle safe yaml.

• #initialize(app, target) ⇒ Deserialize constructor

  A new instance of Deserialize.

• #run ⇒ Object

Methods inherited from Base

#app_version_between?, #dupe?, #model_attribute?, #should_run?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!

Constructor Details

#initialize(app, target) ⇒ Deserialize

Returns a new instance of Deserialize.

# File 'lib/spektr/checks/deserialize.rb', line 5

def initialize(app, target)
  super
  @name = "Unsafe object deserialization"
  @type = "Insecure Deserialization"
  @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
end

Instance Method Details

#check_csv ⇒ Object

# File 'lib/spektr/checks/deserialize.rb', line 20

def check_csv
  check_method(:load, "CSV")
end

#check_marshal ⇒ Object

# File 'lib/spektr/checks/deserialize.rb', line 31

def check_marshal
  [:load, :restore].each do |method|
    check_method(method, "Marshal")
  end
end

#check_method(method, receiver) ⇒ Object

# File 'lib/spektr/checks/deserialize.rb', line 48

def check_method(method, receiver)
  calls = @target.find_calls(method, receiver)
  calls.each do |call|
    argument = call.arguments.first
    if argument.ast.type == :send && argument.ast.children.last.children.first.is_a?(Parser::AST::Node)
      argument = Exp::Argument.new(argument.ast.children.last.children.first)
    end
    if user_input?(argument.type, argument.name, argument.ast)
      warn! @target, self, call.location, "#{receiver}.#{method} is called with user supplied value"
    end
  end
end

#check_oj ⇒ Object

# File 'lib/spektr/checks/deserialize.rb', line 37

def check_oj
  check_method(:object_load, "Oj")
  safe_default = false
  safe_default = true if @target.find_calls(:mimic_JSON, "Oj").any?
  call = @target.find_calls(:default_options=, "Oj").last
  safe_default = true if call && call.options[:mode]&.value != :object
  unless safe_default
    check_method(:load, "Oj")
  end
end

#check_yaml ⇒ Object

TODO: handle safe yaml

# File 'lib/spektr/checks/deserialize.rb', line 25

def check_yaml
  [:load_documents, :load_stream, :parse_documents, :parse_stream].each do |method|
    check_method(method, "YAML")
  end
end

#run ⇒ Object

# File 'lib/spektr/checks/deserialize.rb', line 12

def run
  return unless super
  check_csv
  check_yaml
  check_marshal
  check_oj
end