
Issue #20481 has been reported by qnighy (Masaki Hara). ---------------------------------------- Bug #20481: Untrusted Marshal data can overwrite class/module instance variables https://bugs.ruby-lang.org/issues/20481 * Author: qnighy (Masaki Hara) * Status: Open * ruby -v: ruby 3.3.1 (2024-04-23 revision c56cd86388) [x86_64-linux] * Backport: 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN ---------------------------------------- The following code snippet shows how class/module instance variables can be overwritten in Ruby. Checked on Ruby 3.3.1. ```ruby class <<Object; attr_reader :foo; end p Object.foo # => nil # Marshal.load("\x04\x08Ic\x0BObject\x06:\x09@fooi\x2F") # # => can't override instance variable of class `Object' (TypeError) # p Object.foo # # => nil Marshal.load("\x04\x08[\x07c\x0BObjectI@\x06\x06:\x09@fooi\x2F") # => [Object, Object] p Object.foo # => 42 ``` Although it is the program author's responsibility to trust Marshal data, [there was an attempt to disallow write to a class instance variable](https://github.com/ruby/ruby/commit/3fe939564fc5f4dde52a6b9bc385e558e3423256) and it is considered a bug that one can circumvent this check. This bug was once submitted to HackerOne, just in case this is considered a security vulnerability, and it was concluded that the bug actually isn't. -- https://bugs.ruby-lang.org/