cd /news/cybersecurity/readme-md · home topics cybersecurity article
[ARTICLE · art-10145] src=gist.github.com ↗ pub= topic=cybersecurity verified=true sentiment=· neutral

README.md

This README file explains that the provided script cannot use `YAML.dump(payload)` to generate a useful payload, as it only produces a worthless YAML representation of a `Gem::Requirement` object. Instead, the script is a handcrafted conversion of the serialization produced by `Marshal.dump`, with a second version based on a more recent write-up about a universal deserialization gadget for Ruby 2.x and 3.x.

read1 min views21 publishedMar 1, 2019

Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/ Doesn't work to use YAML.dump(payload) in the above script. This only produces the following YAML, which is worthless: --- !ruby/object:Gem::Requirement requirements:

- - ">="
- !ruby/object:Gem::Version
version: '0'

This is just a handcrafted conversion of the serialization done by Marshal.dump Second version is based on the more recent and equally excellent writup from https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html

── more in #cybersecurity 4 stories · sorted by recency
── more on @elttam.com.au 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/readme-md] indexed:0 read:1min 2019-03-01 ·