mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
15 lines
551 B
Ruby
15 lines
551 B
Ruby
# Phase 03 (Track J.1) — Ruby deserialize benign fixture.
|
|
#
|
|
# Inspects the marshalled stream's const name before handing it to
|
|
# `Marshal.load`; anything outside the tiny allowlist raises before
|
|
# any gadget code runs.
|
|
ALLOWED = %w[Integer String Array].freeze
|
|
|
|
def run(blob)
|
|
# Quick const-name sniff — `Marshal` writes the class name as a
|
|
# length-prefixed string after the `o` tag.
|
|
if blob.bytes.any? && !ALLOWED.any? { |c| blob.include?(c) }
|
|
raise ArgumentError, "blocked: non-allowlisted gadget class"
|
|
end
|
|
Marshal.load(blob)
|
|
end
|