Skip to content

Commit 760dbd7

Browse files
committed
Add test for rb/unsafe-deserialization
1 parent 9b9fc18 commit 760dbd7

File tree

3 files changed

+65
-0
lines changed

3 files changed

+65
-0
lines changed
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
edges
2+
| UnsafeDeserialization.rb:8:39:8:44 | call to params : | UnsafeDeserialization.rb:9:27:9:41 | serialized_data |
3+
| UnsafeDeserialization.rb:14:39:14:44 | call to params : | UnsafeDeserialization.rb:15:30:15:44 | serialized_data |
4+
| UnsafeDeserialization.rb:20:17:20:22 | call to params : | UnsafeDeserialization.rb:21:24:21:32 | json_data |
5+
| UnsafeDeserialization.rb:26:17:26:22 | call to params : | UnsafeDeserialization.rb:27:27:27:35 | json_data |
6+
| UnsafeDeserialization.rb:38:17:38:22 | call to params : | UnsafeDeserialization.rb:39:24:39:32 | yaml_data |
7+
nodes
8+
| UnsafeDeserialization.rb:8:39:8:44 | call to params : | semmle.label | call to params : |
9+
| UnsafeDeserialization.rb:9:27:9:41 | serialized_data | semmle.label | serialized_data |
10+
| UnsafeDeserialization.rb:14:39:14:44 | call to params : | semmle.label | call to params : |
11+
| UnsafeDeserialization.rb:15:30:15:44 | serialized_data | semmle.label | serialized_data |
12+
| UnsafeDeserialization.rb:20:17:20:22 | call to params : | semmle.label | call to params : |
13+
| UnsafeDeserialization.rb:21:24:21:32 | json_data | semmle.label | json_data |
14+
| UnsafeDeserialization.rb:26:17:26:22 | call to params : | semmle.label | call to params : |
15+
| UnsafeDeserialization.rb:27:27:27:35 | json_data | semmle.label | json_data |
16+
| UnsafeDeserialization.rb:38:17:38:22 | call to params : | semmle.label | call to params : |
17+
| UnsafeDeserialization.rb:39:24:39:32 | yaml_data | semmle.label | yaml_data |
18+
#select
19+
| UnsafeDeserialization.rb:9:27:9:41 | serialized_data | UnsafeDeserialization.rb:8:39:8:44 | call to params : | UnsafeDeserialization.rb:9:27:9:41 | serialized_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:8:39:8:44 | call to params | user input |
20+
| UnsafeDeserialization.rb:15:30:15:44 | serialized_data | UnsafeDeserialization.rb:14:39:14:44 | call to params : | UnsafeDeserialization.rb:15:30:15:44 | serialized_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:14:39:14:44 | call to params | user input |
21+
| UnsafeDeserialization.rb:21:24:21:32 | json_data | UnsafeDeserialization.rb:20:17:20:22 | call to params : | UnsafeDeserialization.rb:21:24:21:32 | json_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:20:17:20:22 | call to params | user input |
22+
| UnsafeDeserialization.rb:27:27:27:35 | json_data | UnsafeDeserialization.rb:26:17:26:22 | call to params : | UnsafeDeserialization.rb:27:27:27:35 | json_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:26:17:26:22 | call to params | user input |
23+
| UnsafeDeserialization.rb:39:24:39:32 | yaml_data | UnsafeDeserialization.rb:38:17:38:22 | call to params : | UnsafeDeserialization.rb:39:24:39:32 | yaml_data | Unsafe deserialization of $@. | UnsafeDeserialization.rb:38:17:38:22 | call to params | user input |
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
queries/security/cwe-502/UnsafeDeserialization.ql
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
require "base64"
2+
require "json"
3+
require "yaml"
4+
5+
class UsersController < ActionController::Base
6+
# BAD
7+
def route0
8+
serialized_data = Base64.decode64 params[:key]
9+
object = Marshal.load serialized_data
10+
end
11+
12+
# BAD
13+
def route1
14+
serialized_data = Base64.decode64 params[:key]
15+
object = Marshal.restore serialized_data
16+
end
17+
18+
# BAD
19+
def route2
20+
json_data = params[:key]
21+
object = JSON.load json_data
22+
end
23+
24+
# BAD
25+
def route3
26+
json_data = params[:key]
27+
object = JSON.restore json_data
28+
end
29+
30+
# GOOD - JSON.parse is safe to use on untrusted data
31+
def route4
32+
json_data = params[:key]
33+
object = JSON.parse json_data
34+
end
35+
36+
# BAD
37+
def route5
38+
yaml_data = params[:key]
39+
object = YAML.load yaml_data
40+
end
41+
end

0 commit comments

Comments
 (0)