rack-post-body-to-params 0.1.5 → 0.1.6

data/README.rdoc

@@ -1,3 +1,7 @@
+= Security advice
+
+Rack::PostBodyToParams is affected by every Rails security issue induced by YAML deserialization for HTTP POST bodys as it just uses ActionSupport for that. You should either upgrade ActiveSupport or require 'safe_yaml'. As of version 0.1.6 Rack::PostBodyToParams will  prevent you from initializing if Hash.from_xml is unsafe.
+
 = Rack::PostBodyToParams
 
 Parses the POST or PUT body to a Hash and put it into the FORM_HASH. Most frameworks get the params hash from there.

data/Rakefile

@@ -43,7 +43,7 @@ task :test => :check_dependencies
 
 task :default => :test
 
-require 'rake/rdoctask'
+require 'rdoc/task'
 Rake::RDocTask.new do |rdoc|
   version = File.exist?('VERSION') ? File.read('VERSION') : ""
 

data/VERSION

@@ -1 +1 @@
-0.1.5
+0.1.6

data/lib/rack/post-body-to-params.rb

@@ -23,6 +23,11 @@ module Rack
   # Most parts blantly stolen from http://github.com/rack/rack-contrib.
   #
   class PostBodyToParams
+    class RCETEST < Hash
+      def []=(key,val)
+        raise Exception, 'Please educate about the ActiveSupport YAML remote code execution vulnerability and take measures. Either install and require safe_yaml or upgrade ActiveSupport'
+      end
+    end
 
     # Constants
     #
@@ -62,6 +67,9 @@ module Rack
       }
       @error_responses.update(config[:error_responses]) if config[:error_responses]
       
+      # Check wether we're vulnerable via YAML:
+      parsers[APPLICATION_XML].call %Q{<?xml version="1.0" encoding="UTF-8"?><bang type="yaml">--- !ruby/hash:Rack::PostBodyToParams::RCETEST\n  foo: bar</bang>}
+      
       @app = app
     end
 
@@ -88,7 +96,7 @@ module Rack
         unless post_body.blank?
           begin
             new_form_hash = parsers[content_type].call post_body
-          rescue Exception => error
+          rescue StandardError => error
             logger.warn "#{self.class} #{content_type} parsing error: #{error.to_s}" if respond_to? :logger
             return error_responses[content_type].call error
           end

data/rack-post-body-to-params.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "rack-post-body-to-params"
-  s.version = "0.1.5"
+  s.version = "0.1.6"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Niko Dittmann"]
-  s.date = "2012-02-02"
+  s.date = "2013-02-04"
   s.email = "mail+git@niko-dittmann.com"
   s.extra_rdoc_files = [
     "LICENSE",
@@ -24,6 +24,7 @@ Gem::Specification.new do |s|
     "lib/rack/post-body-to-params.rb",
     "rack-post-body-to-params.gemspec",
     "test/helper.rb",
+    "test/rce_test.rb",
     "test/test_post-body-to-params.rb"
   ]
   s.homepage = "http://github.com/niko/rack-post-body-to-params"

data/test/helper.rb

@@ -2,9 +2,8 @@ require 'rubygems'
 require 'test/unit'
 require 'shoulda'
 
+require 'safe_yaml'
+
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 require 'rack/post-body-to-params'
-
-class Test::Unit::TestCase
-end

data/test/rce_test.rb

@@ -0,0 +1,14 @@
+# execute this file to test for xml/yaml code execution
+
+require 'yaml'
+gem 'activesupport', '=3.1'
+require 'active_support'
+require 'active_support/core_ext/hash'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+
+puts "AS Version: #{ActiveSupport::VERSION::STRING}"
+
+require 'rack/post-body-to-params'
+Rack::PostBodyToParams.new :app

data/test/test_post-body-to-params.rb

@@ -9,18 +9,6 @@ class TestApp
   end
 end
 
-module FromXml
-  def from_xml(data)
-    "parsed #{data}"
-  end
-end
-
-class Logger
-  def warn(string)
-    "warning: #{string}"
-  end
-end
-
 class TestPostBodyToParams < Test::Unit::TestCase
   
   context "A new app" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-post-body-to-params
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.6
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-02-02 00:00:00.000000000Z
+date: 2013-02-04 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: shoulda
-  requirement: &70202281553420 !ruby/object:Gem::Requirement
+  requirement: &70269260206680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70202281553420
+  version_requirements: *70269260206680
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &70202281552100 !ruby/object:Gem::Requirement
+  requirement: &70269260205440 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,7 +32,7 @@ dependencies:
         version: '2.3'
   type: :runtime
   prerelease: false
-  version_requirements: *70202281552100
+  version_requirements: *70269260205440
 description: 
 email: mail+git@niko-dittmann.com
 executables: []
@@ -49,6 +49,7 @@ files:
 - lib/rack/post-body-to-params.rb
 - rack-post-body-to-params.gemspec
 - test/helper.rb
+- test/rce_test.rb
 - test/test_post-body-to-params.rb
 homepage: http://github.com/niko/rack-post-body-to-params
 licenses: []