Allow Hash 'compact' & 'to_json' in safe mode #8892
Conversation
|
Issues: #33825 |
| @@ -1,3 +1,7 @@ | |||
| class URI::Generic::Jail < Safemode::Jail | |||
| allow :host, :path, :port, :query, :scheme | |||
| end | |||
|
|
|||
| class Hash::Jail < Safemode::Jail | |||
| allow :to_json, :compact | |||
There was a problem hiding this comment.
AFAIK to_json is quite recursive, what if we have { "key": [1, 2, 3] } and Array has not to_json allowed?
UPD: it works...
There was a problem hiding this comment.
I'm wondering if this can also expose way more data than you'd expect and leaking internal details that way.
There was a problem hiding this comment.
I'm wondering if this can also expose way more data than you'd expect and leaking internal details that way
That's interesting thought, mind to share any example?
There was a problem hiding this comment.
Let's say you have a hash where the values are ActiveRecord objects, will the full object be serialized? Could that include private data such as the bmc password on hosts?
There was a problem hiding this comment.
Well, I've tried that and I didn't see BMC password, but other password was returned as crypted. Although I agree that to_json can be dangerous since it ignores other Jail methods: if there is a Host object in a hash then all its attributes will be in the json string.
This reminds me of one of concerns why we didn't allow this method for webhooks: user must create a hash with attributes they can collect via Jailed methods and then pass this hash to a special method which will convert this to json and send as a payload...
There was a problem hiding this comment.
Thanks @ofedoren for being more verbose in the explanation. That is indeed what I was driving at. The BMC password is just one example. And if we don't have it today, it could become a problem later on.
stejskalleos
force-pushed
the
ls/hash_safemode
branch
from
d1a7ade
to
e8de8dc
Compare
|
Rebased & updated: added doc to and |
| module Hash | ||
| extend ApipieDSL::Module | ||
|
|
||
| apipie_class 'Array' do |
There was a problem hiding this comment.
| apipie_class 'Array' do | |
| apipie_class 'Hash' do |
|
|
||
| apipie_method :to_json, 'Returns a JSON string representing the hash.' do | ||
| returns ::String | ||
| example '{ id: 1, name: "test" }.to_json #=> {"id":"1","name":"test"}' |
There was a problem hiding this comment.
| example '{ id: 1, name: "test" }.to_json #=> {"id":"1","name":"test"}' | |
| example '{ id: 1, name: "test" }.to_json #=> {"id":1,"name":"test"}' |
| end | ||
|
|
||
| apipie_method :compact, 'Returns a new hash with the nil values/key pairs removed.' do | ||
| returns ::String |
There was a problem hiding this comment.
| returns ::String | |
| returns ::Hash |
|
Closing the issue, |
No description provided.