hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Reword unsafe deserialization qhelp

Browse Source
This commit is contained in:
Harry Maclean
2023-05-29 03:46:30 +00:00
parent e515981c81
commit ca1024e285
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
View File

@@ -19,13 +19,12 @@ deserialization of arbitrary objects.
</p>
<p>
If deserializing an untrusted YAML document using the <code>psych</code> gem
prior to version 4.0.0, the <code>load</code> method is vulnerable. Use
<code>safe_load</code> instead. With <code>psych</code> version 4.0.0 and later,
the <code>load</code> is safe. The same applies to <code>load_file</code>.
<code>load_stream</code> is vulnerable in all versions. The safe versions of these
methods (<code>safe_load</code> and <code>safe_load_file</code>) are not vulnerable
in any known version.
If deserializing an untrusted YAML document using the <code>psych</code> gem,
prefer the <code>safe_load</code> and <code>safe_load_file</code> methods over
<code>load</code> and <code>load_file</code>, as the former will safely
handle untrusted data. Avoid passing untrusted data to the <code>load_stream</code>
method. In <code>psych</code> version 4.0.0 and above, the <code>load</code> can
safely be used.
</p>
<p>