Skip to content

Commit

Permalink
Use YAML.safe_load
Browse files Browse the repository at this point in the history
There's a vulnerability in `YAML.load`
which can enable arbitrary code to be run.
`YAML.safe_load` does not deserialize unsafe classes.

Related reading:

* http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-vulnerability-explained/
* ruby/psych#119
* http://docs.ruby-lang.org/en/2.1.0/Psych.html#method-c-safe_load

While Rubocop is generally run locally,
it could be used in server-side, hosted environments.

I can't think of a downside to using the `safe_load` version.

This change is intended to maintain backwards compatibility
with Ruby versions that appear to be supported by Rubocop
(judging by the `.travis.yml` file).

`Rexexp` needs to be whitelisted.
  • Loading branch information
Dan Croak committed Feb 26, 2015
1 parent 7c1c28e commit 36b857f
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion lib/rubocop/config_loader.rb
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ def load_yaml_configuration(absolute_path)
# is not possible to reproduce now, but we want to avoid it in case
# it's still there. So we only load the YAML code if we find some real
# code in there.
hash = yaml_code =~ /^[A-Z]/i ? YAML.load(yaml_code) : {}
hash = yaml_code =~ /^[A-Z]/i ? yaml_safe_load(yaml_code) : {}
puts "configuration from #{absolute_path}" if debug?

unless hash.is_a?(Hash)
Expand All @@ -124,6 +124,14 @@ def load_yaml_configuration(absolute_path)
hash
end

def yaml_safe_load(yaml_code)
if YAML.respond_to?(:safe_load) # Ruby 2.1+
YAML.safe_load(yaml_code, [Regexp])
else
YAML.load(yaml_code)
end
end

def resolve_inheritance(path, hash)
base_configs(path, hash['inherit_from']).reverse_each do |base_config|
base_config.each do |k, v|
Expand Down

0 comments on commit 36b857f

Please sign in to comment.