Ruby Yaml Insecure Deserialization
Description
Detects insecure YAML deserialization in Ruby code using YAML.load() which can lead to remote code execution. The YAML.load() method allows deserializing arbitrary Ruby objects, enabling attackers to execute malicious code by providing specially crafted YAML input.
Detection Strategy
• Check if YAML library is imported in the code file
• Find calls to YAML.load() method
• Verify the method call has arguments (payload to be deserialized)
• Report vulnerability when unsafe YAML.load() is used instead of safe alternatives like YAML.safe_load()
Vulnerable code example
require 'yaml'
def process_yaml_config
# VULNERABLE: Unsafe YAML.load on untrusted input allows code execution
yaml_data = params[:config]
config = YAML.load(yaml_data)
puts "User: #{config['user']}"...✅ Secure code example
require 'yaml'
def process_yaml_config
# SECURE: Using safe_load with allowed classes prevents code execution
yaml_data = params[:config]
config = YAML.safe_load(yaml_data, permitted_classes: [Date, Time])
puts "User: #{config['user']}"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.