safe_yaml 0.2.1 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +41 -0
- data/lib/safe_yaml/handler.rb +1 -0
- data/lib/safe_yaml/version.rb +1 -1
- metadata +2 -1
data/README.md
ADDED
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
SafeYAML
|
|
2
|
+
========
|
|
3
|
+
|
|
4
|
+
*Parse (simple) YAML safely, without that pesky arbitrary code execution vulnerability.*
|
|
5
|
+
|
|
6
|
+
***
|
|
7
|
+
|
|
8
|
+
The **safe_yaml** gem offers an alternative to `YAML.load` suitable for accepting user input. Unlike `YAML.load`, `YAML.safe_load` will *not* expose your Ruby app to arbitrary code execution exploits (such as [the one recently discovered in Rails](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/)).
|
|
9
|
+
|
|
10
|
+
Observe!
|
|
11
|
+
|
|
12
|
+
```ruby
|
|
13
|
+
class ExploitableMap
|
|
14
|
+
def []=(key, value)
|
|
15
|
+
self.class.class_eval <<-EOS
|
|
16
|
+
def #{key}
|
|
17
|
+
return "#{value}"
|
|
18
|
+
end
|
|
19
|
+
EOS
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
If your application were to contain code like this and use `YAML.load` anywhere on user input, an attacker could craft a YAML string to execute any code (yes, including `system("unix command")`) on your servers:
|
|
25
|
+
|
|
26
|
+
> yaml = <<-EOYAML
|
|
27
|
+
> --- !ruby/hash:ExploitableMap
|
|
28
|
+
> "foo; end; puts %(I'm in yr system!); def bar": "baz"
|
|
29
|
+
> EOYAML
|
|
30
|
+
=> "--- !ruby/hash:ExploitableMap\n\"foo; end; puts %(I'm in yr system!); def bar\": \"baz\"\n"
|
|
31
|
+
|
|
32
|
+
> YAML.load(yaml)
|
|
33
|
+
I'm in yr system!
|
|
34
|
+
=> #<ExploitableMap:0x007ffadca0ca10>
|
|
35
|
+
|
|
36
|
+
With `YAML.safe_load`, that attacker would be thwarted:
|
|
37
|
+
|
|
38
|
+
> YAML.safe_load(yaml)
|
|
39
|
+
=> {"foo; end; puts %(I'm in yr system!); def bar"=>"baz"}
|
|
40
|
+
|
|
41
|
+
SafeYAML requires Ruby 1.9.2 or newer. Maybe I'll get around to writing a Syck handler eventually, at which point it could support older versions as well.
|
data/lib/safe_yaml/handler.rb
CHANGED
data/lib/safe_yaml/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_yaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -21,6 +21,7 @@ files:
|
|
|
21
21
|
- .gitignore
|
|
22
22
|
- Gemfile
|
|
23
23
|
- Gemfile.lock
|
|
24
|
+
- README.md
|
|
24
25
|
- Rakefile
|
|
25
26
|
- lib/safe_yaml.rb
|
|
26
27
|
- lib/safe_yaml/handler.rb
|