-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Whitelist classes and symbols that are in Gem spec YAML
This patch adds a method for loading YAML specs from a gem and whitelists classes and symbols that are allowed in the spec. Then it changes calls to YAML.load to call the whitelisted "safe" loader instead. [CVE-2017-0903]
- Loading branch information
1 parent
6e77ace
commit 510b163
Showing
7 changed files
with
55 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
module Gem | ||
|
||
### | ||
# This module is used for safely loading YAML specs from a gem. The | ||
# `safe_load` method defined on this module is specifically designed for | ||
# loading Gem specifications. For loading other YAML safely, please see | ||
# Psych.safe_load | ||
|
||
module SafeYAML | ||
WHITELISTED_CLASSES = %w( | ||
Symbol | ||
Time | ||
Date | ||
Gem::Dependency | ||
Gem::Platform | ||
Gem::Requirement | ||
Gem::Specification | ||
Gem::Version | ||
Gem::Version::Requirement | ||
YAML::Syck::DefaultKey | ||
Syck::DefaultKey | ||
) | ||
|
||
WHITELISTED_SYMBOLS = %w( | ||
development | ||
runtime | ||
) | ||
|
||
if ::YAML.respond_to? :safe_load | ||
def self.safe_load input | ||
::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) | ||
end | ||
|
||
def self.load input | ||
::YAML.safe_load(input, [::Symbol]) | ||
end | ||
else | ||
warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." | ||
def self.safe_load input, *args | ||
::YAML.load input | ||
end | ||
|
||
def self.load input | ||
::YAML.load input | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters