safe_yaml 0.2.1 → 0.2.2

Sign up to get free protection for your applications and to get access to all the features.
data/README.md ADDED
@@ -0,0 +1,41 @@
1
+ SafeYAML
2
+ ========
3
+
4
+ *Parse (simple) YAML safely, without that pesky arbitrary code execution vulnerability.*
5
+
6
+ ***
7
+
8
+ The **safe_yaml** gem offers an alternative to `YAML.load` suitable for accepting user input. Unlike `YAML.load`, `YAML.safe_load` will *not* expose your Ruby app to arbitrary code execution exploits (such as [the one recently discovered in Rails](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/)).
9
+
10
+ Observe!
11
+
12
+ ```ruby
13
+ class ExploitableMap
14
+ def []=(key, value)
15
+ self.class.class_eval <<-EOS
16
+ def #{key}
17
+ return "#{value}"
18
+ end
19
+ EOS
20
+ end
21
+ end
22
+ ```
23
+
24
+ If your application were to contain code like this and use `YAML.load` anywhere on user input, an attacker could craft a YAML string to execute any code (yes, including `system("unix command")`) on your servers:
25
+
26
+ > yaml = <<-EOYAML
27
+ > --- !ruby/hash:ExploitableMap
28
+ > "foo; end; puts %(I'm in yr system!); def bar": "baz"
29
+ > EOYAML
30
+ => "--- !ruby/hash:ExploitableMap\n\"foo; end; puts %(I'm in yr system!); def bar\": \"baz\"\n"
31
+
32
+ > YAML.load(yaml)
33
+ I'm in yr system!
34
+ => #<ExploitableMap:0x007ffadca0ca10>
35
+
36
+ With `YAML.safe_load`, that attacker would be thwarted:
37
+
38
+ > YAML.safe_load(yaml)
39
+ => {"foo; end; puts %(I'm in yr system!); def bar"=>"baz"}
40
+
41
+ SafeYAML requires Ruby 1.9.2 or newer. Maybe I'll get around to writing a Syck handler eventually, at which point it could support older versions as well.
@@ -1,3 +1,4 @@
1
+ require "psych"
1
2
  require "yaml"
2
3
 
3
4
  module SafeYAML
@@ -1,3 +1,3 @@
1
1
  module SafeYAML
2
- VERSION = "0.2.1"
2
+ VERSION = "0.2.2"
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: safe_yaml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.2.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -21,6 +21,7 @@ files:
21
21
  - .gitignore
22
22
  - Gemfile
23
23
  - Gemfile.lock
24
+ - README.md
24
25
  - Rakefile
25
26
  - lib/safe_yaml.rb
26
27
  - lib/safe_yaml/handler.rb