Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Detect and reject Ruby objects sent in YAML format #43

Closed
brynary opened this Issue Jan 31, 2013 · 7 comments

Comments

Projects
None yet
3 participants

brynary commented Jan 31, 2013

In light of the YAML security issues, my proposal is that rack-protect detect the presence of Ruby objects serialized as YAML (can look for !ruby I think), and rejects the request.

Thoughts?

Owner

rkh commented Jan 31, 2013

This would be possible if the request Content-Type is set properly, I guess. Unless we start parsing XML though, this would not have prevented the attack on rails and even then not the one on RubyGems.org. I haven't seen many APIs that support posting YAML to it directly, tbh.

brynary commented Jan 31, 2013

Could we be more general and just grep the entire request-as-a-string? It could be hidden in a header value, for example.

This would be a defense-in-depth measure against another vulnerability deeper in the stack, and also an early warning tripwire if you are under attack.

Owner

rkh commented Jan 31, 2013

So block anything that contains the string !ruby?

brynary commented Jan 31, 2013

"--- !ruby" maybe

On Thu, Jan 31, 2013 at 4:31 PM, Konstantin Haase
notifications@github.comwrote:

So block anything that contains the string !ruby?


Reply to this email directly or view it on GitHubhttps://github.com/rkh/rack-protection/issues/43#issuecomment-12967001.

Owner

rkh commented Jan 31, 2013

No, that won't do it. You can place the object in an array or hash.

brynary commented Jan 31, 2013

Ah, yeah then I think it would have to be "!ruby"

On Thu, Jan 31, 2013 at 4:59 PM, Konstantin Haase
notifications@github.comwrote:

No, that won't do it. You can place the object in an array or hash.


Reply to this email directly or view it on GitHubhttps://github.com/rkh/rack-protection/issues/43#issuecomment-12968277.

Contributor

mkristian commented Mar 1, 2013

I think the best way to protect you application from "unsafe" yaml is adding https://github.com/dtao/safe_yaml to your project. what about XML and JSON - do your parsers for this allow object instantiation like yaml ?

just my 2 cents . . .

@rkh rkh closed this Apr 8, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment