Fix: CVE-2013-0175, multi_xml parse vulnerability, require multi_xml …

…0.5.2.
ruby-grape · Jan 11, 2013 · e15b7c3 · reedloden · Jan 11, 2013 · dblock
1 parent 146e6d6
commit e15b7c3
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 4 deletions.
diff --git a/CHANGELOG.markdown b/CHANGELOG.markdown
@@ -2,6 +2,7 @@
 ====================
 
 * Fix: support content-type with character set when parsing POST and PUT input - [@dblock](http://github.com/dblock).
+* Fix: CVE-2013-0175, `multi_xml` parse vulnerability, require 'multi_xml' 0.5.2 - [@dblock](http://github.com/dblock).
 * Your contribution here.
 
 0.2.5 (01/10/2013)

diff --git a/grape.gemspec b/grape.gemspec
@@ -20,7 +20,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'activesupport'
   # s.add_runtime_dependency 'rack-jsonp'
   s.add_runtime_dependency 'multi_json', '>= 1.3.2'
-  s.add_runtime_dependency 'multi_xml'
+  s.add_runtime_dependency 'multi_xml', '>= 0.5.2'
   s.add_runtime_dependency 'hashie', '~> 1.2'
   s.add_runtime_dependency 'virtus'
   s.add_runtime_dependency 'builder'

diff --git a/lib/grape/middleware/formatter.rb b/lib/grape/middleware/formatter.rb
@@ -42,9 +42,13 @@ def read_body_input
                 if content_type_for(fmt)
                   parser = Grape::Parser::Base.parser_for fmt, options
                   unless parser.nil?
-                    body = parser.call body, env
-                    env['rack.request.form_hash'] = env['rack.request.form_hash'] ? env['rack.request.form_hash'].merge(body) : body
-                    env['rack.request.form_input'] = env['rack.input']
+                    begin
+                      body = parser.call body, env
+                      env['rack.request.form_hash'] = env['rack.request.form_hash'] ? env['rack.request.form_hash'].merge(body) : body
+                      env['rack.request.form_input'] = env['rack.input']
+                    rescue Exception => e
+                      throw :error, :status => 400, :message => e.message
+                    end
                   end
                 else
                   throw :error, :status => 406, :message => 'The requested content-type is not supported.'

diff --git a/spec/grape/api_spec.rb b/spec/grape/api_spec.rb
@@ -1116,6 +1116,16 @@ def self.call(object, env)
         last_response.body.should eql "elpmis"
       end
     end
+    context "muti_xml" do
+      it "doesn't parse yaml" do
+        subject.put :yaml do
+          params[:tag]
+        end
+        put '/yaml', '<tag type="symbol">a123</tag>', "CONTENT_TYPE" => "application/xml"
+        last_response.status.should == 400
+        last_response.body.should eql 'Disallowed type attribute: "symbol"'
+      end
+    end
   end
 
   describe '.default_error_status' do