Add more negative patterns to exclude cases of reading from a file fo…

…r Yaml bad deserialization (#3296) * Add more negative patterns to exclude cases of reading from a file * Update .fixed file for autofix test case
semgrep · Feb 21, 2024 · 3abb4d5 · 3abb4d5
1 parent 931012b
commit 3abb4d5
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 39 deletions.
diff --git a/ruby/lang/security/bad-deserialization-yaml.fixed.rb b/ruby/lang/security/bad-deserialization-yaml.fixed.rb
@@ -1,23 +1,43 @@
- def bad_deserialization
+def bad_deserialization
 
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ruleid: bad-deserialization-yaml
-    obj = Psych.safe_load(data)
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ruleid: bad-deserialization-yaml
+   obj = Psych.safe_load(data)
+end
 
- end
+def ok_deserialization
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(data, safe: true)
 
- def ok_deserialization
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ok: bad-deserialization-yaml
-    obj = YAML.load(data, safe: true)
+   filename = File.read("test.txt")
+   data = YAML.dump(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(filename)
 
-    filename = File.read("test.txt")
-    data = YAML.dump(filename)
-    # ok: bad-deserialization-yaml
-    YAML.load(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(File.read("test.txt"))
 
-    # ok: bad-deserialization-yaml
-    YAML.load(File.read("test.txt"))
- end
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")).result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")))
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml")).result
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template.result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(File.read(File.join(Pathname.pwd, "hello.yml")))
+end
diff --git a/ruby/lang/security/bad-deserialization-yaml.rb b/ruby/lang/security/bad-deserialization-yaml.rb
@@ -1,23 +1,43 @@
- def bad_deserialization
+def bad_deserialization
 
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ruleid: bad-deserialization-yaml
-    obj = YAML.load(data)
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ruleid: bad-deserialization-yaml
+   obj = YAML.load(data)
+end
 
- end
+def ok_deserialization
+   o = Klass.new("hello\n")
+   data = YAML.dump(o)
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(data, safe: true)
 
- def ok_deserialization
-    o = Klass.new("hello\n")
-    data = YAML.dump(o)
-    # ok: bad-deserialization-yaml
-    obj = YAML.load(data, safe: true)
+   filename = File.read("test.txt")
+   data = YAML.dump(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(filename)
 
-    filename = File.read("test.txt")
-    data = YAML.dump(filename)
-    # ok: bad-deserialization-yaml
-    YAML.load(filename)
+   # ok: bad-deserialization-yaml
+   YAML.load(File.read("test.txt"))
 
-    # ok: bad-deserialization-yaml
-    YAML.load(File.read("test.txt"))
- end
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")).result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(ERB.new(File.read("test.yml")))
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml")).result
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template)
+
+   template = ERB.new(File.read("test.yml"))
+   # ok: bad-deserialization-yaml
+   obj = YAML::load(template.result)
+
+   # ok: bad-deserialization-yaml
+   obj = YAML.load(File.read(File.join(Pathname.pwd, "hello.yml")))
+end
diff --git a/ruby/lang/security/bad-deserialization-yaml.yaml b/ruby/lang/security/bad-deserialization-yaml.yaml
@@ -8,17 +8,29 @@ rules:
   - pattern-not: |
       YAML.load("...", ...)
   - pattern-not-inside: |
-      $FILE = File.read("...", ...)
+      YAML.load(..., File.read(...), ...)
+  - pattern-not-inside: |
+      $FILE = File.read(...)
       ...
       YAML.load(..., $FILE, ...)
   - pattern-not-inside: |
-      $FILENAME = "..."
+      $FILENAME = ...
       ...
       $FILE = File.read($FILENAME, ...)
       ...
       YAML.load(..., $FILE, ...)
   - pattern-not-inside: |
-      YAML.load(..., File.read("...", ...), ...)
+          YAML.load(..., $X.$Y(File.read(...)), ...)
+  - pattern-not-inside: |
+      YAML.load(..., $X.$Y(File.read(...)).$Z, ...)
+  - pattern-not-inside: |
+      $T = $MOD.$MET(File.read(...))
+      ...
+      YAML.load(..., $T, ...)
+  - pattern-not-inside: |
+      $T = $MOD.$MET(File.read(...))
+      ...
+      YAML.load(..., $T.$R, ...)
   fix: Psych.safe_load($...ARGS)
   message: >-
     Unsafe deserialization from YAML. Objects in Ruby can be serialized into strings,