Forum: Ruby-core [ruby-trunk - Bug #7759][Open] Marshal.load is not documented to be dangerous

Issue #7759 has been reported by charliesome (Charlie Somerville).

----------------------------------------
Bug #7759: Marshal.load is not documented to be dangerous
https://bugs.ruby-lang.org/issues/7759

Author: charliesome (Charlie Somerville)
Status: Open
Priority: Normal
Assignee:
Category: DOC
Target version: 2.0.0
ruby -v: ruby 2.0.0dev (2013-01-07 trunk 38733) [x86_64-darwin12.2.1]


=begin
Marshal.load is incredibly powerful, and also incredibly dangerous.

Unfortunately, many developers use it inappropriately and unmarshal user 
input. This can lead to a wide range of vulnerabilities, including 
remote code execution.

Marshal.load should be documented as dangerous and the documentation 
should also mention that it should only be used on trusted data.
=end

> Marshal.load is incredibly powerful, and also incredibly dangerous.
>
> Unfortunately, many developers use it inappropriately and unmarshal user input. 
This can lead to a wide range of vulnerabilities, including remote code execution.
>
> Marshal.load should be documented as dangerous and the documentation should also 
mention that it should only be used on trusted data.

Makes sense. Can you please consider to write down the explanation?

(2013/01/31 8:59), charliesome (Charlie Somerville) wrote:
> Unfortunately, many developers use it inappropriately and unmarshal user input. 
This can lead to a wide range of vulnerabilities, including remote code execution.

Could you explain attack scenario?

Issue #7759 has been updated by nobu (Nobuyoshi Nakada).


charliesome (Charlie Somerville) wrote:
> Unfortunately, many developers use it inappropriately and unmarshal user input. 
This can lead to a wide range of vulnerabilities, including remote code execution.

Can't you elaborate it, probably, at security@ruby-lang.org?

> Marshal.load should be documented as dangerous and the documentation should also 
mention that it should only be used on trusted data.

I've thought it's a common sense, isn't it?

----------------------------------------
Bug #7759: Marshal.load is not documented to be dangerous
https://bugs.ruby-lang.org/issues/7759#change-35736

Author: charliesome (Charlie Somerville)
Status: Open
Priority: Normal
Assignee:
Category: DOC
Target version: 2.0.0
ruby -v: ruby 2.0.0dev (2013-01-07 trunk 38733) [x86_64-darwin12.2.1]


=begin
Marshal.load is incredibly powerful, and also incredibly dangerous.

Unfortunately, many developers use it inappropriately and unmarshal user 
input. This can lead to a wide range of vulnerabilities, including 
remote code execution.

Marshal.load should be documented as dangerous and the documentation 
should also mention that it should only be used on trusted data.
=end

Issue #7759 has been updated by charliesome (Charlie Somerville).


> I've thought it's a common sense, isn't it?

You would imagine so, however I have seen a lot of code that does 
unmarshal untrusted data.

I will send an example to security@ruby-lang.org. Please note that I do 
not consider this a vulnerability in Ruby. Marshal is dangerous by 
design. This is an education problem - we need to document the fact that 
it is dangerous.
----------------------------------------
Bug #7759: Marshal.load is not documented to be dangerous
https://bugs.ruby-lang.org/issues/7759#change-35737

Author: charliesome (Charlie Somerville)
Status: Open
Priority: Normal
Assignee:
Category: DOC
Target version: 2.0.0
ruby -v: ruby 2.0.0dev (2013-01-07 trunk 38733) [x86_64-darwin12.2.1]


=begin
Marshal.load is incredibly powerful, and also incredibly dangerous.

Unfortunately, many developers use it inappropriately and unmarshal user 
input. This can lead to a wide range of vulnerabilities, including 
remote code execution.

Marshal.load should be documented as dangerous and the documentation 
should also mention that it should only be used on trusted data.
=end