Permalink
Browse files

security issue ruby/psych#119

  • Loading branch information...
bbenezech committed Feb 6, 2013
1 parent 5265c9d commit 3cc862d061f541200b93531122f7dac4b1c7a68b
Showing with 21 additions and 22 deletions.
  1. +0 −2 .rspec
  2. +11 −15 README.md
  3. +1 −1 lib/rails_admin/config/fields/types/serialized.rb
  4. +4 −0 lib/rails_admin/engine.rb
  5. +5 −4 rails_admin.gemspec
View
2 .rspec
@@ -1,4 +1,2 @@
--color
---fail-fast
---order random
--profile
View
@@ -30,24 +30,20 @@ Hoeven][plukevdh], and [Rein Henrichs][reinh].
## Announcements
-RailsAdmin model configuration is now lazy loaded.
+### [Action required] Security issue
-```ruby
-config.model 'Team' do
- ...
-end
-
-# or
-class Team
- rails_admin do
- ...
- end
-end
-```
+`RailsAdmin::Config::Fields::Types::Serialized#parse_input` was unsafe, because it was using the infamous `YAML#load`.
+
+To fix this, RailsAdmin now uses [safe_yaml](https://github.com/dtao/safe_yaml), with `enable_arbitrary_object_deserialization` and `suppress_warnings` on, for maximum compatibity with all existing apps.
+
+If you want to load safely YAML in your own app, you can use `YAML.load(something, safe: true)`
+
+If you use Serialized with RailsAdmin with non-totally-trusted users, your server is at risk. Update your gem to `> 0.4.3` (should be released any time soon) or to a [patched commit]()
+
+Rails3.0 and other branches may be at risk too, I strongly suggest to not use those any more.
-won't load the Team model.
+More information about the whole drama [here](https://github.com/tenderlove/psych/issues/119).
-Incidentally, you are only allowed one configuration block per model.
## Features
@@ -13,7 +13,7 @@ class Serialized < RailsAdmin::Config::Fields::Types::Text
end
def parse_input(params)
- params[name] = (params[name].blank? ? nil : YAML.load(params[name])) if params[name].is_a?(::String)
+ params[name] = (params[name].blank? ? nil : YAML.load(params[name], :safe => true)) if params[name].is_a?(::String)
end
end
end
@@ -9,6 +9,10 @@
require 'nested_form'
require 'rails_admin'
+require 'safe_yaml'
+YAML.enable_arbitrary_object_deserialization!
+SafeYAML::OPTIONS[:suppress_warnings] = true
+
module RailsAdmin
class Engine < Rails::Engine
isolate_namespace RailsAdmin
View
@@ -3,19 +3,20 @@ require File.expand_path('../lib/rails_admin/version', __FILE__)
Gem::Specification.new do |spec|
# If you add a dependency, please maintain alphabetical order
- spec.add_dependency 'nested_form', '~> 0.3'
- spec.add_dependency 'sass-rails', '~> 3.1'
spec.add_dependency 'bootstrap-sass', '~> 2.2'
- spec.add_dependency 'font-awesome-sass-rails', ['~> 3.0', '>= 3.0.0.1']
- spec.add_dependency 'jquery-ui-rails', '~> 3.0'
spec.add_dependency 'builder', '~> 3.0'
spec.add_dependency 'coffee-rails', '~> 3.1'
+ spec.add_dependency 'font-awesome-sass-rails', ['~> 3.0', '>= 3.0.0.1']
spec.add_dependency 'haml', '~> 3.1'
spec.add_dependency 'jquery-rails', '~> 2.1'
+ spec.add_dependency 'jquery-ui-rails', '~> 3.0'
spec.add_dependency 'kaminari', '~> 0.14'
+ spec.add_dependency 'nested_form', '~> 0.3'
spec.add_dependency 'rack-pjax', '~> 0.6'
spec.add_dependency 'rails', '~> 3.1'
spec.add_dependency 'remotipart', '~> 1.0'
+ spec.add_dependency 'safe_yaml', '~> 0.6'
+ spec.add_dependency 'sass-rails', '~> 3.1'
spec.authors = ["Erik Michaels-Ober", "Bogdan Gaza", "Petteri Kaapa", "Benoit Benezech"]
spec.description = %q{RailsAdmin is a Rails engine that provides an easy-to-use interface for managing your data.}
spec.email = ['sferik@gmail.com', 'bogdan@cadmio.org', 'petteri.kaapa@gmail.com']

0 comments on commit 3cc862d

Please sign in to comment.