Document and test YAML.safe_load

ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp

@@ -27,8 +27,9 @@ are capable of deserializing to arbitrary objects, this is inherently unsafe.
 </p>
 <sample src="examples/UnsafeDeserializationBad.rb"/>
 <p>
-Using <code>YAML.parse</code> instead, with the default options, removes the
-vulnerability.
+Using <code>JSON.parse</code> and <code>YAML.safe_load</code> instead, as in the
+following example, removes the vulnerability. Note that there is no safe way to
+deserialize untrusted data using <code>Marshal</code>.
 </p>
 <sample src="examples/UnsafeDeserializationGood.rb"/>
 </example>

ql/src/queries/security/cwe-502/examples/UnsafeDeserializationGood.rb

@@ -5,4 +5,9 @@ class UserController < ActionController::Base
     object = JSON.parse params[:json]
     # ...
   end
+
+  def safe_yaml_example
+    object = YAML.safe_load params[:yaml]
+    # ...
+  end
 end

ql/test/query-tests/security/cwe-502/UnsafeDeserialization.rb

@@ -38,4 +38,10 @@ class UsersController < ActionController::Base
     yaml_data = params[:key]
     object = YAML.load yaml_data
   end
+
+  # GOOD
+  def route6
+    yaml_data = params[:key]
+    object = YAML.safe_load yaml_data
+  end
 end