Project

General

Profile

Actions

Bug #20481

closed

Untrusted Marshal data can overwrite class/module instance variables

Added by qnighy (Masaki Hara) 8 months ago. Updated 7 months ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.3.1 (2024-04-23 revision c56cd86388) [x86_64-linux]
[ruby-core:117831]

Description

The following code snippet shows how class/module instance variables can be overwritten in Ruby. Checked on Ruby 3.3.1.

class <<Object; attr_reader :foo; end

p Object.foo
# => nil

# Marshal.load("\x04\x08Ic\x0BObject\x06:\x09@fooi\x2F")
# # => can't override instance variable of class `Object' (TypeError)
# p Object.foo
# # => nil

Marshal.load("\x04\x08[\x07c\x0BObjectI@\x06\x06:\x09@fooi\x2F")
# => [Object, Object]
p Object.foo
# => 42

Although it is the program author's responsibility to trust Marshal data, there was an attempt to disallow write to a class instance variable and it is considered a bug that one can circumvent this check.

This bug was once submitted to HackerOne, just in case this is considered a security vulnerability, and it was concluded that the bug actually isn't.

Actions

Also available in: Atom PDF

Like0
Like0