Whitelist YAML classes demarshalled from metadata Edit

app/controllers/api/v1/rubygems_controller.rb

@@ -23,10 +23,9 @@ def show
   end
 
   def create
-    render :text => "Pushing is temporarily disabled. Please check http://status.rubygems.org for more info.", :status => 503
-    #gemcutter = Pusher.new(current_user, request.body, request.host_with_port)
-    #gemcutter.process
-    #render :text => gemcutter.message, :status => gemcutter.code
+    gemcutter = Pusher.new(current_user, request.body, request.host_with_port)
+    gemcutter.process
+    render :text => gemcutter.message, :status => gemcutter.code
   end
 
   def yank

app/models/pusher.rb

@@ -38,6 +38,9 @@ def pull_spec
     end
 
     false
+  rescue Psych::ForbiddenClassException => e
+    Rails.logger.info "Attempted YAML metadata exploit: #{e}"
+    notify("RubyGems.org cannot process this gem.\nThe metadata is invalid.\n#{e}", 422)
   rescue Gem::Package::FormatError
     notify("RubyGems.org cannot process this gem.\nPlease try rebuilding it" +
            " and installing it locally to make sure it's valid.", 422)
@@ -48,7 +51,7 @@ def pull_spec
   end
 
   def find
-    @rubygem = Rubygem.find_or_initialize_by_name(spec.name)
+    @rubygem = Rubygem.find_or_initialize_by_name(spec.name.to_s)
     @version = @rubygem.find_or_initialize_version_from_spec(spec)
 
     if @version.new_record?

config/initializers/forbidden_yaml.rb

@@ -0,0 +1,67 @@
+# XXX: This is purely a monkey patch to close the exploit vector for now, a more
+# permanent solution should be pushed upstream into rubygems.
+
+require "rubygems"
+
+# Assert we're using Psych
+abort "Use Psych for YAML, install libyaml and reinstall ruby" unless YAML == Psych
+
+module Psych
+  class ForbiddenClassException < Exception
+  end
+
+  module Visitors
+    class WhitelistedToRuby < ToRuby
+      WHITELISTED_CLASSES = %w(
+        Gem::Dependency
+        Gem::Platform
+        Gem::Requirement
+        Gem::Specification
+        Gem::Version
+        Gem::Version::Requirement
+      )
+
+     def deserialize o
+        if klass = Psych.load_tags[o.tag]
+          raise ForbiddenClassException, "Forbidden class in YAML: #{klassname}" unless WHITELISTED_CLASSES.include? klass.name
+        end
+
+        super
+      end
+
+    private
+
+      def resolve_class klassname
+        raise ForbiddenClassException, "Forbidden class in YAML: #{klassname}" unless WHITELISTED_CLASSES.include? klassname
+        super klassname
+      end
+    end
+  end
+end
+
+module Gem
+  class Specification
+    def self.from_yaml input
+      input = normalize_yaml_input input
+      nodes = Psych.parse input
+      spec = Psych::Visitors::WhitelistedToRuby.new.accept nodes
+
+      if spec && spec.class == FalseClass then
+        raise Gem::EndOfYAMLException
+      end
+
+      unless Gem::Specification === spec then
+        raise Gem::Exception, "YAML data doesn't evaluate to gem specification"
+      end
+
+      unless (spec.instance_variables.include? '@specification_version' or
+              spec.instance_variables.include? :@specification_version) and
+             spec.instance_variable_get :@specification_version
+        spec.instance_variable_set :@specification_version,
+                                   NONEXISTENT_SPECIFICATION_VERSION
+      end
+
+      spec
+    end
+  end
+end

test/unit/pusher_test.rb

@@ -80,6 +80,17 @@ class PusherTest < ActiveSupport::TestCase
       assert_equal @cutter.code, 422
     end
 
+    should "not be able to pull spec with metadata containing bad ruby objects" do
+      @gem = gem_file("exploit.gem")
+      @cutter = Pusher.new(@user, @gem)
+      @cutter.pull_spec
+      assert_nil @cutter.spec
+      assert_match %r{RubyGems\.org cannot process this gem}, @cutter.message
+      assert_match %r{The metadata is invalid.}, @cutter.message
+      assert_match %r{ActionController::Routing::RouteSet::NamedRouteCollection}, @cutter.message
+      assert_equal @cutter.code, 422
+    end
+
     should "post info to the remote bundler API" do
       @cutter.pull_spec