Module UnsafeDeserialization

Import path

import codeql.ruby.security.UnsafeDeserializationCustomizations

Classes

HashFromTrustedXmlArgument	The first argument in a call to `Hash.from_trusted_xml`, considered as a sink for unsafe deserialization.
JsonLoadArgument	An argument in a call to `JSON.load` or `JSON.restore`, considered a sink for unsafe deserialization.
MarshalLoadOrRestoreArgument	An argument in a call to `Marshal.load` or `Marshal.restore`, considered a sink for unsafe deserialization.
OxParseObjArgument	The first argument in a call to `Ox.parse_obj`, always considered as a sink for unsafe deserialization.
RemoteFlowSourceAsSource	A source of remote user input, considered as a flow source for unsafe deserialization.
Sanitizer	A sanitizer for unsafe deserialization vulnerabilities.
Sink	A data flow sink for unsafe deserialization vulnerabilities.
Source	A data flow source for unsafe deserialization vulnerabilities.
StdInSource	A read of data from `STDIN`/`ARGV`, considered as a flow source for unsafe deserialization.
UnsafeOjLoadArgument	An argument in a call to `Oj.load` where the mode is `:object` (which is the default), considered a sink for unsafe deserialization.
UnsafeOxLoadArgument	An argument in a call to `Ox.load` where the mode is `:object` (not the default), considered a sink for unsafe deserialization.
UnsafePlistParsexmlArgument	An argument in a call to `Plist.parse_xml` where `marshal` is `true` (which is the default), considered a sink for unsafe deserialization.
YamlLoadArgument	An argument in a call to `YAML.unsafe_*` and `YAML.load_stream` , considered a sink for unsafe deserialization. The `YAML` module is an alias of `Psych` in recent versions of Ruby.
YamlParseArgument	An argument in a call to `YAML.parse*`, considered a sink for unsafe deserialization if there is a call to `to_ruby` on the returned value.