Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch against RCE #5

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@ilpianista
Copy link

ilpianista commented Mar 3, 2019

Use SafeYAML to read 3rd-party YAMLs to prevent RCE.

To reproduce, replace sources.yaml with this payload. An attacker could do the same to any schema or template repository.

Patch against RCE
Use SafeYAML to prevent RCE.

@ilpianista ilpianista force-pushed the ilpianista:master branch from bab6ecd to 2acd35c Mar 3, 2019

@obahareth

This comment has been minimized.

Copy link
Owner

obahareth commented Mar 4, 2019

Thanks for the contribution @ilpianista!

I have a couple of questions and requests:

  1. Can we use the version of SafeYAML that doesn't patch the YAML module mentioned here?

  2. Does this impact performance in anyway (e.g. are there any YAML vs SafeYAML benchmarks)?

  3. Can you use the Ruby 1.9 hash literal syntax instead of hashrockets, e.g. safe: true instead of :safe => true (My fault, I should have a formatter in the repo and unit tests actually)?

@ilpianista

This comment has been minimized.

Copy link
Author

ilpianista commented Mar 4, 2019

1. Can we use the version of SafeYAML that doesn't patch the YAML module [mentioned here](https://github.com/dtao/safe_yaml#what-if-i-dont-want-to-patch-yaml)?

If you like more that way, yes of course I can also invoke SafeYAML explicitly.

2. Does this impact performance in anyway (e.g. are there any YAML vs SafeYAML benchmarks)?

I don't know, but what are the alternatives here?

3. Can you use the Ruby 1.9 hash literal syntax instead of hashrockets, e.g. `safe: true` instead of `:safe => true` (My fault, I should have a formatter in the repo and unit tests actually)?

Ok, sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.