Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added support for Psych > 3.1.0 by using new syntax #101

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

added support for Psych > 3.1.0 by using new syntax #101

wants to merge 2 commits into from

Conversation

skudryk
Copy link

@skudryk skudryk commented Jan 4, 2022

No description provided.

@matoro
Copy link

matoro commented Jun 17, 2022

Hi, I'm trying to use this patch to work with psych 4.x, but there are still 8 test failures. Any idea if this can be extended to address these?

Failures:                                                                                                                                                                                       
                                                                                                                                                                                                
  1) Psych unsafe_load allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods                                                                                    
     Failure/Error: expect(backdoor).to be_exploited_through_setter                                                                                                                             
       expected {"foo"=>"bar"} to respond to `exploited_through_setter?`                                                                                                                        
     # ./spec/safe_yaml_spec.rb:31:in `block (3 levels) in <top (required)>'                                                                                                                    
                                                                                                                                                                                                
  2) Psych unsafe_load allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method                                                                                
     Failure/Error: expect(backdoor).to be_exploited_through_init_with                                                                                                                          
       expected {"foo"=>"bar"} to respond to `exploited_through_init_with?`                                                                                                                     
     # ./spec/safe_yaml_spec.rb:36:in `block (3 levels) in <top (required)>'

  3) Psych unsafe_load allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object
     Failure/Error: expect(backdoor).to be_exploited_through_ivars
       expected {"foo"=>"bar"} to respond to `exploited_through_ivars?`
     # ./spec/safe_yaml_spec.rb:42:in `block (3 levels) in <top (required)>'

  4) Psych unsafe_load with special whitelisted tags defined effectively ignores the whitelist (since everything is whitelisted)
     Failure/Error: expect(result.backdoor).to be_exploited_through_ivars
       expected nil to respond to `exploited_through_ivars?`
     # ./spec/safe_yaml_spec.rb:59:in `block (4 levels) in <top (required)>'

  5) Psych unsafe_load_file allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods
     Failure/Error: File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) }
      
     ArgumentError:
       wrong number of arguments (given 2, expected 1)
     # ./lib/safe_yaml.rb:39:in `block in unsafe_load_file'
     # ./lib/safe_yaml.rb:39:in `open'
     # ./lib/safe_yaml.rb:39:in `unsafe_load_file'
     # ./spec/safe_yaml_spec.rb:478:in `block (3 levels) in <top (required)>'

  6) Psych unsafe_load_file allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method
     Failure/Error: File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) }
      
     ArgumentError:
       wrong number of arguments (given 2, expected 1)
     # ./lib/safe_yaml.rb:39:in `block in unsafe_load_file'
     # ./lib/safe_yaml.rb:39:in `open'
     # ./lib/safe_yaml.rb:39:in `unsafe_load_file'
     # ./spec/safe_yaml_spec.rb:485:in `block (3 levels) in <top (required)>'

  7) Psych unsafe_load_file allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object
     Failure/Error: File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) }
      
     ArgumentError:
       wrong number of arguments (given 2, expected 1)
     # ./lib/safe_yaml.rb:39:in `block in unsafe_load_file'
     # ./lib/safe_yaml.rb:39:in `open'
     # ./lib/safe_yaml.rb:39:in `unsafe_load_file'
     # ./spec/safe_yaml_spec.rb:491:in `block (3 levels) in <top (required)>'

  8) Psych load as long as a :default_mode has been specified doesn't issue a warning for unsafe mode, since an explicit mode has been set
     Failure/Error: unsafe_load(*arguments)
      
     ArgumentError:
       wrong number of arguments (given 2, expected 1)
     # ./lib/safe_yaml.rb:15:in `load_with_options'
     # ./spec/safe_yaml_spec.rb:533:in `block (4 levels) in <top (required)>'

Finished in 1.53 seconds (files took 2.18 seconds to load)
134 examples, 8 failures, 1 pending

Failed examples:

rspec ./spec/safe_yaml_spec.rb:29 # Psych unsafe_load allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods
rspec ./spec/safe_yaml_spec.rb:34 # Psych unsafe_load allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method
rspec ./spec/safe_yaml_spec.rb:40 # Psych unsafe_load allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object
rspec ./spec/safe_yaml_spec.rb:50 # Psych unsafe_load with special whitelisted tags defined effectively ignores the whitelist (since everything is whitelisted)
rspec ./spec/safe_yaml_spec.rb:477 # Psych unsafe_load_file allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods
rspec ./spec/safe_yaml_spec.rb:484 # Psych unsafe_load_file allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method
rspec ./spec/safe_yaml_spec.rb:490 # Psych unsafe_load_file allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object
rspec ./spec/safe_yaml_spec.rb:530 # Psych load as long as a :default_mode has been specified doesn't issue a warning for unsafe mode, since an explicit mode has been set

thesamesam added a commit to thesamesam/gentoo that referenced this pull request Mar 25, 2023
@thesamesam
dev-ruby/safe_yaml: add note why no >= ruby30 yet
a482438 
Bug: dtao/safe_yaml#100
Bug: dtao/safe_yaml#101
Signed-off-by: Sam James <sam@gentoo.org>
gentoo-bot pushed a commit to gentoo/gentoo that referenced this pull request Mar 25, 2023
@thesamesam
dev-ruby/safe_yaml: add note why no >= ruby30 yet
d65d8f8 
Bug: dtao/safe_yaml#100
Bug: dtao/safe_yaml#101
Signed-off-by: Sam James <sam@gentoo.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@skudryk @matoro