-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use YAML.safe_load #1680
Use YAML.safe_load #1680
Conversation
There's a vulnerability in `YAML.load` which can enable arbitrary code to be run. `YAML.safe_load` does not deserialize unsafe classes. Related reading: * http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-vulnerability-explained/ * ruby/psych#119 * http://docs.ruby-lang.org/en/2.1.0/Psych.html#method-c-safe_load While Rubocop is generally run locally, it could be used in server-side, hosted environments. I can't think of a downside to using the `safe_load` version. This change is intended to maintain backwards compatibility with Ruby versions that appear to be supported by Rubocop (judging by the `.travis.yml` file). `Rexexp` needs to be whitelisted.
|
You probably need to add |
|
@bquorning Yup, sorry. Just realized that. Green locally. Pushed. |
|
👍 |
|
Looking at the links to the documentation, I'm using ruby 2.2.2 which is producing an error because it looks like |
|
@neilang I don't get the same problem with my installation p YAML.safe_load("!ruby/regexp '/\A[\p{Word}]+\z/'", [Regexp])in a program or My understanding is that |
|
@jonas054 I have a similar setup Digging deeper into this I've found that yaml is being patched by another gem in my bundle, which is the real cause of the issue. require 'yaml'
p YAML.safe_load("!ruby/regexp '/\A[\p{Word}]+\z/'", [Regexp])
=> /A[p{Word}]+z/
require 'safe_yaml'
p YAML.safe_load("!ruby/regexp '/\A[\p{Word}]+\z/'", [Regexp])
=> "/A[p{Word}]+z/"Sorry about that. Thanks for your help! |
|
This is causing problems now for some reason... See #2055 -- I don't know enough to fix it... |
There's a vulnerability in
YAML.loadwhich can enable arbitrary code to be run.
YAML.safe_loaddoes not deserialize unsafe classes.Related reading:
While Rubocop is generally run locally,
it could be used in server-side, hosted environments.
I can't think of a downside to using the
safe_loadversion.This change is intended to maintain backwards compatibility
with Ruby versions that appear to be supported by Rubocop
(judging by the
.travis.ymlfile).