Project

General

Profile

Actions
Copy link

Bug #20481

closed

Untrusted Marshal data can overwrite class/module instance variables

Added by qnighy (Masaki Hara) 2 months ago. Updated 2 months ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.3.1 (2024-04-23 revision c56cd86388) [x86_64-linux]
Backport:
3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
[ruby-core:117831]

Description

The following code snippet shows how class/module instance variables can be overwritten in Ruby. Checked on Ruby 3.3.1.

class <<Object; attr_reader :foo; end

p Object.foo
# => nil

# Marshal.load("\x04\x08Ic\x0BObject\x06:\x09@fooi\x2F")
# # => can't override instance variable of class `Object' (TypeError)
# p Object.foo
# # => nil

Marshal.load("\x04\x08[\x07c\x0BObjectI@\x06\x06:\x09@fooi\x2F")
# => [Object, Object]
p Object.foo
# => 42

Although it is the program author's responsibility to trust Marshal data, there was an attempt to disallow write to a class instance variable and it is considered a bug that one can circumvent this check.

This bug was once submitted to HackerOne, just in case this is considered a security vulnerability, and it was concluded that the bug actually isn't.

Actions
Copy link
 #1

Updated by nobu (Nobuyoshi Nakada) 2 months ago

  • Status changed from Open to Closed

Applied in changeset git|8b9b150512b7b9514143a6b971992c9a539ead2f.

[Bug #20481] Check for unmarshaling ivar

Prohibit setting instance variables of existing classes and modules
via link.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0