Add more negative patterns to exclude cases of reading from a file

semgrep · Feb 10, 2024 · d4f6f8f · d4f6f8f
1 parent b7c74f4
commit d4f6f8f
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 4 deletions.
diff --git a/ruby/lang/security/bad-deserialization-yaml.rb b/ruby/lang/security/bad-deserialization-yaml.rb
@@ -4,7 +4,6 @@ def bad_deserialization
     data = YAML.dump(o)
     # ruleid: bad-deserialization-yaml
     obj = YAML.load(data)
-
  end
 
  def ok_deserialization
@@ -20,4 +19,25 @@ def ok_deserialization
 
     # ok: bad-deserialization-yaml
     YAML.load(File.read("test.txt"))
+
+    # ok: bad-deserialization-yaml
+    obj = YAML::load(ERB.new(File.read("test.yml")).result)
+
+    # ok: bad-deserialization-yaml
+    obj = YAML::load(ERB.new(File.read("test.yml")))
+
+    template = ERB.new(File.read("test.yml"))
+    # ok: bad-deserialization-yaml
+    obj = YAML::load(template)
+
+    template = ERB.new(File.read("test.yml")).result
+    # ok: bad-deserialization-yaml
+    obj = YAML::load(template)
+
+    template = ERB.new(File.read("test.yml"))
+    # ok: bad-deserialization-yaml
+    obj = YAML::load(template.result)
+
+    # ok: bad-deserialization-yaml
+    obj = YAML.load(File.read(File.join(Pathname.pwd, "hello.yml")))
  end
diff --git a/ruby/lang/security/bad-deserialization-yaml.yaml b/ruby/lang/security/bad-deserialization-yaml.yaml
@@ -8,17 +8,29 @@ rules:
   - pattern-not: |
       YAML.load("...", ...)
   - pattern-not-inside: |
-      $FILE = File.read("...", ...)
+      YAML.load(..., File.read(...), ...)
+  - pattern-not-inside: |
+      $FILE = File.read(...)
       ...
       YAML.load(..., $FILE, ...)
   - pattern-not-inside: |
-      $FILENAME = "..."
+      $FILENAME = ...
       ...
       $FILE = File.read($FILENAME, ...)
       ...
       YAML.load(..., $FILE, ...)
   - pattern-not-inside: |
-      YAML.load(..., File.read("...", ...), ...)
+          YAML.load(..., $X.$Y(File.read(...)), ...)
+  - pattern-not-inside: |
+      YAML.load(..., $X.$Y(File.read(...)).$Z, ...)
+  - pattern-not-inside: |
+      $T = $MOD.$MET(File.read(...))
+      ...
+      YAML.load(..., $T, ...)
+  - pattern-not-inside: |
+      $T = $MOD.$MET(File.read(...))
+      ...
+      YAML.load(..., $T.$R, ...)
   fix: Psych.safe_load($...ARGS)
   message: >-
     Unsafe deserialization from YAML. Objects in Ruby can be serialized into strings,