Merge pull request #14544 from p-/p--oj-ox-unsafe-deser

Ruby: additional unsafe deserialization sinks for ox and one for oj

ruby/ql/src/change-notes/2024-01-30-unsafe-deserialization-sinks.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added new unsafe deserialization sinks for the ox gem.
+* Added an additional unsafe deserialization sink for the oj gem.

ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp

@@ -27,6 +27,13 @@ method. In <code>psych</code> version 4.0.0 and above, the <code>load</code> met
 safely be used.
 </p>
 
+<p>
+If deserializing an untrusted XML document using the <code>ox</code> gem,
+do not use <code>parse_obj</code> and <code>load</code> using the non-default :object mode.
+Instead use the <code>load</code> method in the default mode or better explicitly set a safe
+mode such as :hash. 
+</p>
+
 <p>
 To safely deserialize <a href="https://en.wikipedia.org/wiki/Property_list">Property List</a>
 files using the <code>plist</code> gem, ensure that you pass <code>marshal: false</code>
@@ -37,8 +44,8 @@ when calling <code>Plist.parse_xml</code>.
 <example>
 <p>
 The following example calls the <code>Marshal.load</code>,
-<code>JSON.load</code>, <code>YAML.load</code>, and <code>Oj.load</code> methods
-on data from an HTTP request. Since these methods are capable of deserializing
+<code>JSON.load</code>, <code>YAML.load</code>, <code>Oj.load</code> and <code>Ox.parse_obj</code>
+methods on data from an HTTP request. Since these methods are capable of deserializing
 to arbitrary objects, this is inherently unsafe.
 </p>
 <sample src="examples/UnsafeDeserializationBad.rb"/>

ruby/ql/src/queries/security/cwe-502/examples/UnsafeDeserializationBad.rb

@@ -23,4 +23,9 @@ class UserController < ActionController::Base
     object = Oj.load params[:json]
     # ...
   end
+
+  def ox_example
+    object = Ox.parse_obj params[:xml]
+    # ...
+  end
 end