rack-post-body-to-params 0.1.7 → 0.1.8
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +1 -1
- data/VERSION +1 -1
- data/lib/rack/post-body-to-params.rb +7 -4
- data/rack-post-body-to-params.gemspec +3 -3
- data/test/test_post-body-to-params.rb +25 -0
- metadata +17 -7
data/README.rdoc
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
= Security advice
|
2
2
|
|
3
|
-
Rack::PostBodyToParams is affected by every Rails security issue induced by YAML deserialization for HTTP POST bodys as it just uses ActionSupport for that. You should either upgrade ActiveSupport or require 'safe_yaml'. As of version 0.1.6 Rack::PostBodyToParams will
|
3
|
+
Rack::PostBodyToParams is affected by every Rails security issue induced by YAML deserialization for HTTP POST bodys as it just uses ActionSupport for that. You should either upgrade ActiveSupport or require the 'safe_yaml' gem. As of version 0.1.6 Rack::PostBodyToParams will prevent you from initializing if the XML parser is unsafe. It defaults to ActiveSupports Hash#from_xml.
|
4
4
|
|
5
5
|
= Rack::PostBodyToParams
|
6
6
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.1.
|
1
|
+
0.1.8
|
@@ -28,6 +28,8 @@ module Rack
|
|
28
28
|
raise Exception, 'Please educate about the ActiveSupport YAML remote code execution vulnerability and take measures. Either install and require safe_yaml or upgrade ActiveSupport'
|
29
29
|
end
|
30
30
|
end
|
31
|
+
|
32
|
+
class YamlNotSafe < Exception; end
|
31
33
|
|
32
34
|
# Constants
|
33
35
|
#
|
@@ -70,11 +72,12 @@ module Rack
|
|
70
72
|
# Check wether we're vulnerable via YAML:
|
71
73
|
begin
|
72
74
|
parsers[APPLICATION_XML].call %Q{<?xml version="1.0" encoding="UTF-8"?><bang type="yaml">--- !ruby/hash:Rack::PostBodyToParams::RCETEST\n foo: bar</bang>}
|
75
|
+
# We shouldn't get here, the safe thing is to throw an exception (which ActiveSupport 3.1.x+ and safe_yaml )
|
76
|
+
raise YamlNotSafe, 'Please educate about the ActiveSupport YAML remote code execution vulnerability and take measures. Either install and require safe_yaml or upgrade ActiveSupport'
|
77
|
+
rescue YamlNotSafe => yns
|
78
|
+
raise yns
|
73
79
|
rescue Exception => e
|
74
|
-
#
|
75
|
-
unless e.kind_of?(Hash::DisallowedType)
|
76
|
-
raise Exception, 'Please educate about the ActiveSupport YAML remote code execution vulnerability and take measures. Either install and require safe_yaml or upgrade ActiveSupport'
|
77
|
-
end
|
80
|
+
# Do nothing, we expect this to happen when we have safe parsing
|
78
81
|
end
|
79
82
|
|
80
83
|
@app = app
|
@@ -5,11 +5,11 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = "rack-post-body-to-params"
|
8
|
-
s.version = "0.1.
|
8
|
+
s.version = "0.1.8"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Niko Dittmann"]
|
12
|
-
s.date = "2013-
|
12
|
+
s.date = "2013-09-12"
|
13
13
|
s.email = "mail+git@niko-dittmann.com"
|
14
14
|
s.extra_rdoc_files = [
|
15
15
|
"LICENSE",
|
@@ -29,7 +29,7 @@ Gem::Specification.new do |s|
|
|
29
29
|
]
|
30
30
|
s.homepage = "http://github.com/niko/rack-post-body-to-params"
|
31
31
|
s.require_paths = ["lib"]
|
32
|
-
s.rubygems_version = "1.8.
|
32
|
+
s.rubygems_version = "1.8.25"
|
33
33
|
s.summary = "A Rack middleware that parses the POST or PUT body for JSON or XML content to a Hash and puts it into the rack.request.form_hash. Most frameworks get the params hash from there. Uses ActiveSupport and the respective parsers for parsing. So you can set it up to use Nokogiri and YajL. Useful for example when writing JSON and XML API apps with Sinatra or Padrino."
|
34
34
|
|
35
35
|
if s.respond_to? :specification_version then
|
@@ -121,6 +121,31 @@ class TestPostBodyToParams < Test::Unit::TestCase
|
|
121
121
|
assert_equal 'application/xml', header['Content-Type']
|
122
122
|
assert_match /xml-syntax-error/, body.first
|
123
123
|
end
|
124
|
+
should "check at init to make sure yaml parsing will not happen" do
|
125
|
+
test_app = TestApp.new
|
126
|
+
if Hash.const_defined?("DisallowedType")
|
127
|
+
Hash::DISALLOWED_XML_TYPES.delete("yaml")
|
128
|
+
begin
|
129
|
+
assert_raise Rack::PostBodyToParams::YamlNotSafe do
|
130
|
+
Rack::PostBodyToParams.new test_app
|
131
|
+
end
|
132
|
+
ensure
|
133
|
+
Hash::DISALLOWED_XML_TYPES << "yaml"
|
134
|
+
end
|
135
|
+
elsif Kernel.const_defined?("ActiveSupport") &&
|
136
|
+
ActiveSupport.const_defined?("XMLConverter") &&
|
137
|
+
ActiveSupport::XMLConverter.const_defined?("DisallowedType")
|
138
|
+
ActiveSupport::XMLConverter::DISALLOWED_TYPES.delete("yaml")
|
139
|
+
begin
|
140
|
+
assert_raise Rack::PostBodyToParams::YamlNotSafe do
|
141
|
+
Rack::PostBodyToParams.new test_app
|
142
|
+
end
|
143
|
+
ensure
|
144
|
+
ActiveSupport::XMLConverter::DISALLOWED_TYPES << "yaml"
|
145
|
+
end
|
146
|
+
end
|
147
|
+
end
|
148
|
+
|
124
149
|
end
|
125
150
|
|
126
151
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-post-body-to-params
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.8
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,11 +9,11 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-
|
12
|
+
date: 2013-09-12 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: shoulda
|
16
|
-
requirement:
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
17
17
|
none: false
|
18
18
|
requirements:
|
19
19
|
- - ! '>='
|
@@ -21,10 +21,15 @@ dependencies:
|
|
21
21
|
version: '0'
|
22
22
|
type: :development
|
23
23
|
prerelease: false
|
24
|
-
version_requirements:
|
24
|
+
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
none: false
|
26
|
+
requirements:
|
27
|
+
- - ! '>='
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: '0'
|
25
30
|
- !ruby/object:Gem::Dependency
|
26
31
|
name: activesupport
|
27
|
-
requirement:
|
32
|
+
requirement: !ruby/object:Gem::Requirement
|
28
33
|
none: false
|
29
34
|
requirements:
|
30
35
|
- - ! '>='
|
@@ -32,7 +37,12 @@ dependencies:
|
|
32
37
|
version: '2.3'
|
33
38
|
type: :runtime
|
34
39
|
prerelease: false
|
35
|
-
version_requirements:
|
40
|
+
version_requirements: !ruby/object:Gem::Requirement
|
41
|
+
none: false
|
42
|
+
requirements:
|
43
|
+
- - ! '>='
|
44
|
+
- !ruby/object:Gem::Version
|
45
|
+
version: '2.3'
|
36
46
|
description:
|
37
47
|
email: mail+git@niko-dittmann.com
|
38
48
|
executables: []
|
@@ -71,7 +81,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
71
81
|
version: '0'
|
72
82
|
requirements: []
|
73
83
|
rubyforge_project:
|
74
|
-
rubygems_version: 1.8.
|
84
|
+
rubygems_version: 1.8.25
|
75
85
|
signing_key:
|
76
86
|
specification_version: 3
|
77
87
|
summary: A Rack middleware that parses the POST or PUT body for JSON or XML content
|