[ruby]: add YAML/Psych/Plist unsafe deserialization sinks

### Query PR

https://github.com/github/codeql/pull/12301
https://github.com/github/codeql/pull/13431

### Language

Ruby

### CVE(s) ID list

- [CVE-2022-32224](https://github.com/advisories/GHSA-3hhc-qp5v-9p2j)
- [CVE-2021-33575](https://github.com/advisories/GHSA-vmfh-c547-v45h) cause by dangerous `Plist.parse_xml` sink


### CWE

CWE-502: Deserialization of Untrusted Data

### Report

1. Deserialization of Untrusted Data from a yaml serialized document 
2. with user controllable inputs such as yaml strings or yaml files, it is possible to execute code.
3. I add some additional sinks and taint tracking steps of paramiko library.
4. with Psych >= 4.0.0 `Psych.load` is secure by default, so I think the current codeql std lib for ruby should change it to. There are many other sinks that developers can use it in their applications, so I put my time to find all insecure ways/methods that currently are dangerous.

### Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

- [X] Yes
- [ ] No

### Blog post link

A series of Blog posts will be forthcoming soon!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[ruby]: add YAML/Psych/Plist unsafe deserialization sinks #732

Query PR

Language

CVE(s) ID list

CWE

Report

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[ruby]: add YAML/Psych/Plist unsafe deserialization sinks #732

Description

Query PR

Language

CVE(s) ID list

CWE

Report

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions