maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
SirBroccoli 2025-08-20 12:53:48 +02:00 committed by GitHub
parent a919fe6dc4
commit b48c4084e5
1 changed files with 1 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/pentesting-web/deserialization/README.md
View File

@ -1120,33 +1120,6 @@ Industrialized gadget discovery:
- Use CodeQLs Ruby unsafe deserialization queries to trace sources → sinks and surface gadgets
- Validate with public multi-format PoCs (JSON/XML/YAML/Marshal)
Detection (SAST):
- Semgrep rules:
- rails-cache-store-marshal: https://github.com/trailofbits/semgrep-rules/blob/main/ruby/rails-cache-store-marshal.yaml
- marshal-load-method: https://github.com/trailofbits/semgrep-rules/blob/main/ruby/marshal-load-method.yaml
- json-create-deserialization: https://github.com/trailofbits/semgrep-rules/blob/main/ruby/json-create-deserialization.yaml
- yaml-unsafe-load: https://github.com/trailofbits/semgrep-rules/blob/main/ruby/yaml-unsafe-load.yaml
- CodeQL:
- Query help: https://codeql.github.com/codeql-query-help/ruby/rb-unsafe-deserialization/
- Payload PoCs: https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization
Mitigations (what to do):
- Never pass attacker-controlled bytes to `Marshal.load`/`marshal_load`
- Prefer safe formats and APIs:
- YAML.safe_load with strict `permitted_classes`
- JSON with manual object construction
- Typed DB columns instead of opaque blobs
- Ecosystem hardening proposal:
- Introduce `Marshal.safe_load` (primitive-only by default, with `permitted_classes`)
- Warn on `Marshal.load`, switch defaults to safe behavior, and gate legacy behavior behind `Marshal.unsafe_load`
Notes on recent timeline (selected):
- 20182022: Universal gadget chains across Ruby 2.x3.x (elttam, Bowling) and patches through Ruby 3.1/3.2
- 2019: Rails 5.2 insecure deserialization (CVE-2019-5420)
- 2024: Include Security shows gadget discovery via grep; GitHub Security Lab ships CodeQL rules + multi-format PoCs
- 2024-12: Ruby 3.4.0-rc1 near-miss in `rubygems` code path patched before GA (PR #12444)
- 2024-11/12: New Ruby 3.4 Marshal chains and SafeMarshal escape published and subsequently patched
## References
@ -1165,4 +1138,4 @@ Notes on recent timeline (selected):
- Ruby fix PR #12444: https://github.com/ruby/ruby/pull/12444
- Trail of Bits Auditing RubyGems.org (Marshal findings): https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/
{{#include ../../banners/hacktricks-training.md}}
{{#include ../../banners/hacktricks-training.md}}