Don't unmarshal classes that don't include XMLRPC::Marshal (#36)

If we unmarshal all classes, evil clients may run unexpected code. 

See https://hackerone.com/reports/1189419 for details.

Author: ooooooo-q

lib/xmlrpc/parser.rb

@@ -113,6 +113,7 @@ def self.struct(hash)
         begin
           mod = Module
           klass.split("::").each {|const| mod = mod.const_get(const.strip)}
+          return hash unless mod.included_modules.include?(XMLRPC::Marshallable)
 
           obj = mod.allocate
 

test/data/marshallable.expected

@@ -0,0 +1,3 @@
+---
+- true
+- ___class___: Gem::Requirement

test/data/marshallable.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" ?>
+<methodResponse>
+  <params>
+    <param>
+      <value>
+        <struct>
+          <member>
+            <name>___class___</name>
+            <value>
+              <string>Gem::Requirement</string>
+            </value>
+          </member>
+        </struct>
+      </value>
+    </param>
+  </params>
+</methodResponse>

test/test_parser.rb

@@ -25,7 +25,10 @@ def setup
     @datetime_xml = File.read(datafile('datetime_iso8601.xml'))
     @datetime_expected = XMLRPC::DateTime.new(2004, 11, 5, 1, 15, 23)
 
+    @marshallable_xml, @marshallable_expected = load_data('marshallable')
+
     @fault_doc = File.read(datafile('fault.xml'))
+    @marshallable = File.read(datafile('marshallable.xml'))
   end
 
   # test parseMethodResponse --------------------------------------------------
@@ -50,6 +53,10 @@ def test_dateTime
     assert_equal(@datetime_expected, @p.parseMethodResponse(@datetime_xml)[1])
   end
 
+  def test_marshallable
+    assert_equal(@marshallable_expected, @p.parseMethodResponse(@marshallable))
+  end
+
   # test parseMethodCall ------------------------------------------------------
 
   def test_parseMethodCall