Skip to content

Commit 254e3d0

Browse files
Jonathan Claudiussegiddins
Jonathan Claudius
authored andcommitted
Fix possible Unsafe Object Deserialization Vulnerability in gem owner
1 parent 92e98bf commit 254e3d0

File tree

2 files changed

+29
-1
lines changed

2 files changed

+29
-1
lines changed

Diff for: lib/rubygems/commands/owner_command.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ def show_owners name
6464
end
6565

6666
with_response response do |resp|
67-
owners = YAML.load resp.body
67+
owners = Gem::SafeYAML.load resp.body
6868

6969
say "Owners for gem: #{name}"
7070
owners.each do |owner|

Diff for: test/rubygems/test_gem_commands_owner_command.rb

+28
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22
require 'rubygems/test_case'
33
require 'rubygems/commands/owner_command'
44

5+
class Foo
6+
end
7+
58
class TestGemCommandsOwnerCommand < Gem::TestCase
69

710
def setup
@@ -43,6 +46,31 @@ def test_show_owners
4346
assert_match %r{- 4}, @ui.output
4447
end
4548

49+
def test_show_owners_dont_load_objects
50+
skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
51+
52+
response = <<EOF
53+
---
54+
- email: !ruby/object:Foo {}
55+
id: 1
56+
handle: user1
57+
- email: user2@example.com
58+
- id: 3
59+
handle: user3
60+
- id: 4
61+
EOF
62+
63+
@fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
64+
65+
assert_raises Psych::DisallowedClass do
66+
use_ui @ui do
67+
@cmd.show_owners("freewill")
68+
end
69+
end
70+
71+
end
72+
73+
4674
def test_show_owners_setting_up_host_through_env_var
4775
response = "- email: user1@example.com\n"
4876
host = "http://rubygems.example"

0 commit comments

Comments
 (0)