Permalink
Browse files

Whitelist classes and symbols that are in Gem spec YAML

This patch adds a method for loading YAML specs from a gem and
whitelists classes and symbols that are allowed in the spec.  Then it
changes calls to YAML.load to call the whitelisted "safe" loader
instead.

[CVE-2017-0903]
  • Loading branch information...
tenderlove authored and segiddins committed Oct 6, 2017
1 parent 6e77ace commit 510b1638ac9bba3ceb7a5d73135dafff9e5bab49
View
@@ -387,6 +387,7 @@ lib/rubygems/resolver/specification.rb
lib/rubygems/resolver/stats.rb
lib/rubygems/resolver/vendor_set.rb
lib/rubygems/resolver/vendor_specification.rb
lib/rubygems/safe_yaml.rb
lib/rubygems/security.rb
lib/rubygems/security/policies.rb
lib/rubygems/security/policy.rb
View
@@ -675,7 +675,7 @@ def self.load_yaml
unless test_syck
begin
gem 'psych', '>= 1.2.1'
gem 'psych', '>= 2.0.0'
rescue Gem::LoadError
# It's OK if the user does not have the psych gem installed. We will
# attempt to require the stdlib version
@@ -699,6 +699,7 @@ def self.load_yaml
end
require 'yaml'
require 'rubygems/safe_yaml'
# If we're supposed to be using syck, then we may have to force
# activate it via the YAML::ENGINE API.
@@ -345,7 +345,7 @@ def load_file(filename)
return {} unless filename and File.exist? filename
begin
content = YAML.load(File.read(filename))
content = Gem::SafeYAML.load(File.read(filename))
unless content.kind_of? Hash
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
return {}
View
@@ -468,7 +468,7 @@ def read_checksums gem
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
Zlib::GzipReader.wrap entry do |gz_io|
YAML.load gz_io.read
Gem::SafeYAML.safe_load gz_io.read
end
end
end
@@ -101,7 +101,7 @@ def file_list io # :nodoc:
header << line
end
YAML.load header
Gem::SafeYAML.safe_load header
end
##
View
@@ -0,0 +1,48 @@
module Gem
###
# This module is used for safely loading YAML specs from a gem. The
# `safe_load` method defined on this module is specifically designed for
# loading Gem specifications. For loading other YAML safely, please see
# Psych.safe_load
module SafeYAML
WHITELISTED_CLASSES = %w(
Symbol
Time
Date
Gem::Dependency
Gem::Platform
Gem::Requirement
Gem::Specification
Gem::Version
Gem::Version::Requirement
YAML::Syck::DefaultKey
Syck::DefaultKey
)
WHITELISTED_SYMBOLS = %w(
development
runtime
)
if ::YAML.respond_to? :safe_load
def self.safe_load input
::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
end
def self.load input
::YAML.safe_load(input, [::Symbol])
end
else
warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
def self.safe_load input, *args
::YAML.load input
end
def self.load input
::YAML.load input
end
end
end
end
@@ -1101,7 +1101,7 @@ def self.from_yaml(input)
Gem.load_yaml
input = normalize_yaml_input input
spec = YAML.load input
spec = Gem::SafeYAML.safe_load input
if spec && spec.class == FalseClass then
raise Gem::EndOfYAMLException

0 comments on commit 510b163

Please sign in to comment.