Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Security/Marshal cop #3816

Merged
merged 1 commit into from
Dec 24, 2016
Merged

Add Security/Marshal cop #3816

merged 1 commit into from
Dec 24, 2016

Conversation

cyberdelia
Copy link
Contributor

@cyberdelia cyberdelia commented Dec 22, 2016
edited
Loading

Add a new Security cop, that look for usage of Marshal.load and Marshal.restore, as they are both potentially dangerous: http://ruby-doc.org/core-2.3.3/Marshal.html#module-Marshal-label-Security+considerations

There is no alternative for theses methods, as Marshal is inherently dangerous.

Before submitting the PR make sure the following are checked:

  • Wrote good commit messages.
  • Commit message starts with [Fix #issue-number] (if the related issue exists).
  • Used the same coding conventions as the rest of the project.
  • Feature branch is up-to-date with master (if not - rebase it).
  • Squashed related commits together.
  • Added tests.
  • Added an entry to the Changelog if the new code introduces user-observable changes. See changelog entry format.
  • All tests are passing.
  • The new code doesn't generate RuboCop offenses.
  • The PR relates to only one subject with a clear title
    and description in grammatically correct, complete sentences.
  • Updated cop documentation with rake generate_cops_documentation (required only when you've added a new cop or changed the configuration/documentation of an existing cop).

bbatsov
bbatsov reviewed Dec 23, 2016
View reviewed changes
spec/rubocop/cop/security/marshal_load_spec.rb
expect(cop.offenses).to be_empty
end

it 'accepts Marshal.dump' do
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This description is exactly the same as the previous one.

bbatsov
bbatsov reviewed Dec 23, 2016
View reviewed changes
lib/rubocop/cop/security/marshal_load.rb
module Cop
module Security
# This cop checks for the use of Marshal class methods which have
# potential security issues.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd elaborate here on the security issues.

bbatsov
bbatsov reviewed Dec 23, 2016
View reviewed changes
lib/rubocop/cop/security/marshal_load.rb
# This cop checks for the use of Marshal class methods which have
# potential security issues.
#
# Autocorrect is disabled by default because it's potentially dangerous.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no auto-correct in this cop at all. :-)

bbatsov
bbatsov reviewed Dec 23, 2016
View reviewed changes
lib/rubocop/cop/security/marshal_load.rb
# Autocorrect is disabled by default because it's potentially dangerous.
#
# @example
# # always offense
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bad

bbatsov
bbatsov reviewed Dec 23, 2016
View reviewed changes
lib/rubocop/cop/security/marshal_load.rb
# Marshal.load("{}")
# Marshal.restore("{}")
#
# # no offense
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good

@bbatsov
Copy link
Collaborator

bbatsov commented Dec 23, 2016

The documentation diff is a bit strange. Is your branch up-to-date with master?

@backus backus mentioned this pull request Dec 23, 2016
Closed
@cyberdelia
Copy link
Contributor Author

@bbatsov I made the recommended changes.

@bbatsov bbatsov merged commit 7053c71 into rubocop:master Dec 24, 2016
@cyberdelia cyberdelia deleted the marshal-cop branch December 24, 2016 10:39
@akerl
Copy link

akerl commented Jan 31, 2017

As a user seeing this cop fire on my code, the UX has some rough edges:

  • It calls out Marshal.load/restore as bad, so I went looking to see why. Its description claims Marshall.dump is "good", but clearly that's not the case: it's not much good to dump out marshalled data if there's no way to deserialize it.
  • The real meaning of the cop appears to be "Marshal is bad because loading marshalled untrusted data leads to arbitrary code exec", but there are cases where that is the desired behavior

If the desired recommendation is "Do not use Marshal for untrusted deserialization", it seems that the cop has overstepped what can be tested for. At the very least, it ought to flag clearly that any use of Marshal is an RCE risk, rather than just saying "Avoid Marshal.load", so the user can understand why they would avoid Marshal.

@bbatsov
Copy link
Collaborator

bbatsov commented Feb 1, 2017

Good observations. I'd be best if you filed a new ticket regarding this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bbatsov bbatsov bbatsov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cyberdelia @bbatsov @akerl