nyx/tests/dynamic_fixtures/deserialize/ruby/vuln.rb at 3d710c856dbacb8f0bf780eb881b6669d7509dfd - apunkt/nyx - bitfreedom.net: free all bits, everywhere

apunkt/nyx

mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00

pitboss 9dc60b51c0 [pitboss] phase 03: Track J.1 + Track L.1 — DESERIALIZE corpus + Java/Python/PHP/Ruby adapters

2026-05-17 16:37:20 -05:00

8 lines

253 B

Ruby

Raw Blame History

 # Phase 03 (Track J.1) — Ruby deserialize vuln fixture.
 #
 # `Marshal.load` materialises arbitrary constants; a CVE-class gadget
 # in the payload runs through `_load` / `_load_data` without any
 # allowlist check.
 def run(blob)
   Marshal.load(blob)
 end