New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Safe YAML #777

Merged
merged 6 commits into from Jan 25, 2013

Conversation

Projects
None yet
6 participants
@mastahyeti
Contributor

mastahyeti commented Jan 23, 2013

With the recent Rails vulnerabilities it became clear that loading untrusted YAML can be dangerous. YAML provides syntax for (un)marshalling Ruby objects. If an attacker can control YAML that will be parsed by a server, he can force that server to instantiate arbitrary Ruby objects. This can be leveraged to accomplish arbitrary code execution.

The safe_yaml gem works around this and makes it safe to parse untrusted YAML. This PR implements safe_yaml across Jekyll.

/cc @mojombo @jnewland

@mattr-

This comment has been minimized.

Member

mattr- commented Jan 24, 2013

This is great! Thanks for doing this. ❤️ I was just thinking the
other day that I needed to check on this after discussing the various
security issues Rails has had recently at work.

👍

@parkr

This comment has been minimized.

Member

parkr commented Jan 25, 2013

Looks great at first glance. Will look more closely later today.

@envygeeks

This comment has been minimized.

Contributor

envygeeks commented Jan 25, 2013

Maybe wait until the discussion is finished on ruby/psych#119?

@mastahyeti

This comment has been minimized.

Contributor

mastahyeti commented Jan 25, 2013

@envygeeks we can always revert the change if it gets fixed upstream.

@blambeau

This comment has been minimized.

blambeau commented Jan 25, 2013

Just curious about this. Do you have a scenario in mind where untrusted YAML parsing occurs in a jekyll project? I don't use jekyll very often but I'm not sure to understand the need here.

@envygeeks

This comment has been minimized.

Contributor

envygeeks commented Jan 25, 2013

@blambeau It can happen to anybody who hosts/parses Jekyll based sites for others.

@blambeau

This comment has been minimized.

blambeau commented Jan 25, 2013

@envygeeks OH of course, I didn't even consider such a case ;-) the ruby YAML parsing problem is definitely worth fixing ASAP.

@parkr

This comment has been minimized.

Member

parkr commented Jan 25, 2013

@mastahyeti Can you provide details of how one could exploit a Jekyll site? Considering that the pages aren't built on-the-fly, the vulnerability shouldn't apply.

@mastahyeti

This comment has been minimized.

Contributor

mastahyeti commented Jan 25, 2013

@parkr like @envygeeks said, in situations where Jekyll sites are being hosted for other people, an attacker could create a site using a malicious config.yml file. We were concerned about this on GitHub Pages and have been running a patched version of Jekyll for this reason.

@parkr

This comment has been minimized.

Member

parkr commented Jan 25, 2013

Ok. Then let's take this for now and we'll include it until the vulnerability in YAML is fixed, then we'll revert.

parkr added a commit that referenced this pull request Jan 25, 2013

@parkr parkr merged commit 4041579 into jekyll:master Jan 25, 2013

1 check passed

default The Travis build passed
Details

parkr added a commit that referenced this pull request Jan 25, 2013

@bootstraponline bootstraponline referenced this pull request Aug 13, 2014

Merged

Add plugin support #67

@jekyll jekyll locked and limited conversation to collaborators Feb 27, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.