trailofbits · mschwager · Jul 17, 2025 · Jul 17, 2025
@@ -0,0 +1,12 @@
+require 'marshal'
+
+class Foo
+  # ruleid: marshal-load-method
+  def marshal_load(array)
+    initialize array[0]
+  end
+end
+
+# ok: marshal-load-method
+class Bar
+end
@@ -0,0 +1,28 @@
+rules:
+  - id: marshal-load-method
+    message: |
+      Found `marshal_load` class method. This implies custom Marshal
+      deserialization is occuring. This can lead to RCE and other
+      deserialization-type bugs.  Usage should be audited and, at least, fuzzed.
+    languages: [ruby]
+    severity: INFO
+    metadata:
+      category: security
+      cwe: "CWE-502: Deserialization of Untrusted Data"
+      subcategory: [audit]
+      confidence: LOW
+      likelihood: LOW
+      impact: HIGH
+      technology: [ruby]
+      references:
+        - https://github.blog/2024-06-20-execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/
+        - https://github.com/GitHubSecurityLab/ruby-unsafe-deserialization/blob/main/marshal/3.4-rc/marshal-rce-ruby-3.4-rc.rb
+    patterns:
+      - pattern-inside: |
+          class $CLS
+            ...
+          end
+      - pattern: |
+          def marshal_load(...)
+            ...
+          end