rack-post-body-to-params 0.1.5 → 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +4 -0
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/lib/rack/post-body-to-params.rb +9 -1
- data/rack-post-body-to-params.gemspec +3 -2
- data/test/helper.rb +2 -3
- data/test/rce_test.rb +14 -0
- data/test/test_post-body-to-params.rb +0 -12
- metadata +7 -6
data/README.rdoc
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
= Security advice
|
2
|
+
|
3
|
+
Rack::PostBodyToParams is affected by every Rails security issue induced by YAML deserialization for HTTP POST bodys as it just uses ActionSupport for that. You should either upgrade ActiveSupport or require 'safe_yaml'. As of version 0.1.6 Rack::PostBodyToParams will prevent you from initializing if Hash.from_xml is unsafe.
|
4
|
+
|
1
5
|
= Rack::PostBodyToParams
|
2
6
|
|
3
7
|
Parses the POST or PUT body to a Hash and put it into the FORM_HASH. Most frameworks get the params hash from there.
|
data/Rakefile
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.6
|
@@ -23,6 +23,11 @@ module Rack
|
|
23
23
|
# Most parts blantly stolen from http://github.com/rack/rack-contrib.
|
24
24
|
#
|
25
25
|
class PostBodyToParams
|
26
|
+
class RCETEST < Hash
|
27
|
+
def []=(key,val)
|
28
|
+
raise Exception, 'Please educate about the ActiveSupport YAML remote code execution vulnerability and take measures. Either install and require safe_yaml or upgrade ActiveSupport'
|
29
|
+
end
|
30
|
+
end
|
26
31
|
|
27
32
|
# Constants
|
28
33
|
#
|
@@ -62,6 +67,9 @@ module Rack
|
|
62
67
|
}
|
63
68
|
@error_responses.update(config[:error_responses]) if config[:error_responses]
|
64
69
|
|
70
|
+
# Check wether we're vulnerable via YAML:
|
71
|
+
parsers[APPLICATION_XML].call %Q{<?xml version="1.0" encoding="UTF-8"?><bang type="yaml">--- !ruby/hash:Rack::PostBodyToParams::RCETEST\n foo: bar</bang>}
|
72
|
+
|
65
73
|
@app = app
|
66
74
|
end
|
67
75
|
|
@@ -88,7 +96,7 @@ module Rack
|
|
88
96
|
unless post_body.blank?
|
89
97
|
begin
|
90
98
|
new_form_hash = parsers[content_type].call post_body
|
91
|
-
rescue
|
99
|
+
rescue StandardError => error
|
92
100
|
logger.warn "#{self.class} #{content_type} parsing error: #{error.to_s}" if respond_to? :logger
|
93
101
|
return error_responses[content_type].call error
|
94
102
|
end
|
@@ -5,11 +5,11 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = "rack-post-body-to-params"
|
8
|
-
s.version = "0.1.
|
8
|
+
s.version = "0.1.6"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Niko Dittmann"]
|
12
|
-
s.date = "
|
12
|
+
s.date = "2013-02-04"
|
13
13
|
s.email = "mail+git@niko-dittmann.com"
|
14
14
|
s.extra_rdoc_files = [
|
15
15
|
"LICENSE",
|
@@ -24,6 +24,7 @@ Gem::Specification.new do |s|
|
|
24
24
|
"lib/rack/post-body-to-params.rb",
|
25
25
|
"rack-post-body-to-params.gemspec",
|
26
26
|
"test/helper.rb",
|
27
|
+
"test/rce_test.rb",
|
27
28
|
"test/test_post-body-to-params.rb"
|
28
29
|
]
|
29
30
|
s.homepage = "http://github.com/niko/rack-post-body-to-params"
|
data/test/helper.rb
CHANGED
@@ -2,9 +2,8 @@ require 'rubygems'
|
|
2
2
|
require 'test/unit'
|
3
3
|
require 'shoulda'
|
4
4
|
|
5
|
+
require 'safe_yaml'
|
6
|
+
|
5
7
|
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
6
8
|
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
7
9
|
require 'rack/post-body-to-params'
|
8
|
-
|
9
|
-
class Test::Unit::TestCase
|
10
|
-
end
|
data/test/rce_test.rb
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
# execute this file to test for xml/yaml code execution
|
2
|
+
|
3
|
+
require 'yaml'
|
4
|
+
gem 'activesupport', '=3.1'
|
5
|
+
require 'active_support'
|
6
|
+
require 'active_support/core_ext/hash'
|
7
|
+
|
8
|
+
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
|
9
|
+
$LOAD_PATH.unshift(File.dirname(__FILE__))
|
10
|
+
|
11
|
+
puts "AS Version: #{ActiveSupport::VERSION::STRING}"
|
12
|
+
|
13
|
+
require 'rack/post-body-to-params'
|
14
|
+
Rack::PostBodyToParams.new :app
|
@@ -9,18 +9,6 @@ class TestApp
|
|
9
9
|
end
|
10
10
|
end
|
11
11
|
|
12
|
-
module FromXml
|
13
|
-
def from_xml(data)
|
14
|
-
"parsed #{data}"
|
15
|
-
end
|
16
|
-
end
|
17
|
-
|
18
|
-
class Logger
|
19
|
-
def warn(string)
|
20
|
-
"warning: #{string}"
|
21
|
-
end
|
22
|
-
end
|
23
|
-
|
24
12
|
class TestPostBodyToParams < Test::Unit::TestCase
|
25
13
|
|
26
14
|
context "A new app" do
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-post-body-to-params
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.6
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,11 +9,11 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2013-02-04 00:00:00.000000000Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: shoulda
|
16
|
-
requirement: &
|
16
|
+
requirement: &70269260206680 !ruby/object:Gem::Requirement
|
17
17
|
none: false
|
18
18
|
requirements:
|
19
19
|
- - ! '>='
|
@@ -21,10 +21,10 @@ dependencies:
|
|
21
21
|
version: '0'
|
22
22
|
type: :development
|
23
23
|
prerelease: false
|
24
|
-
version_requirements: *
|
24
|
+
version_requirements: *70269260206680
|
25
25
|
- !ruby/object:Gem::Dependency
|
26
26
|
name: activesupport
|
27
|
-
requirement: &
|
27
|
+
requirement: &70269260205440 !ruby/object:Gem::Requirement
|
28
28
|
none: false
|
29
29
|
requirements:
|
30
30
|
- - ! '>='
|
@@ -32,7 +32,7 @@ dependencies:
|
|
32
32
|
version: '2.3'
|
33
33
|
type: :runtime
|
34
34
|
prerelease: false
|
35
|
-
version_requirements: *
|
35
|
+
version_requirements: *70269260205440
|
36
36
|
description:
|
37
37
|
email: mail+git@niko-dittmann.com
|
38
38
|
executables: []
|
@@ -49,6 +49,7 @@ files:
|
|
49
49
|
- lib/rack/post-body-to-params.rb
|
50
50
|
- rack-post-body-to-params.gemspec
|
51
51
|
- test/helper.rb
|
52
|
+
- test/rce_test.rb
|
52
53
|
- test/test_post-body-to-params.rb
|
53
54
|
homepage: http://github.com/niko/rack-post-body-to-params
|
54
55
|
licenses: []
|