Issue #7677 has been reported by trans (Thomas Sawyer). ---------------------------------------- Feature #7677: YAML load mode that does instantiate Ruby https://bugs.ruby-lang.org/issues/7677 Author: trans (Thomas Sawyer) Status: Open Priority: Normal Assignee: Category: lib Target version: next minor See https://makandracards.com/makandra/892-never-use-y... I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate `!ruby/object:` tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.
on 2013-01-09 03:40
on 2013-01-10 08:33
On Wed, Jan 09, 2013 at 11:40:04AM +0900, trans (Thomas Sawyer) wrote: > Assignee: > Category: lib > Target version: next minor > > > See https://makandracards.com/makandra/892-never-use-y... > > I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate `!ruby/object:` tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded. Use `Psych.parse`, then you can inspect the AST.
on 2013-01-10 16:06
Issue #7677 has been updated by trans (Thomas Sawyer). =begin Is that a viable option for general usage? Let me give an example of there where this issue becomes a problem. I received an email a couple of days ago: You may have read about the recent Rails security issue. I had no idea YAML.load enabled remote code execution when given user input. The same problem is in Gollum as a result of your page metadata pull request that I approved. I had to disable it in Gollum today and released 2.4.11 with the fix. Do you think it's worth updating page metadata or should it be removed? The conclusion of our conversation was pretty simple. YAML would have to go unless there is a fix, and JSON would be used instead. I hate to see that happen, but there isn't much I can do about it other then ask for a fix. Some links related to this: * http://www.insinuator.net/2013/01/rails-yaml/ * http://news.ycombinator.com/item?id=5028218 * https://github.com/github/gollum/pull/419 =end ---------------------------------------- Feature #7677: YAML load mode that does instantiate Ruby https://bugs.ruby-lang.org/issues/7677#change-35334 Author: trans (Thomas Sawyer) Status: Open Priority: Normal Assignee: Category: lib Target version: next minor See https://makandracards.com/makandra/892-never-use-y... I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate `!ruby/object:` tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.
on 2013-01-14 02:42
On Fri, Jan 11, 2013 at 12:05:36AM +0900, trans (Thomas Sawyer) wrote: > YAML.load enabled remote code execution when given user input. YAML.load does not enable remote code execution. You *must* use it in conjunction with some other object that does something dangerous with it. In the case of Rails, that would be module_eval: https://github.com/rails/rails/blob/master/actionp... Any serialization scheme that will allow custom objects could be impacted in the same way. It has to be serialization scheme PLUS some dangerous operation. > The same problem is in Gollum as a result of your page metadata pull > request that I approved. I had to disable it in Gollum today and > released 2.4.11 with the fix. Do you think it's worth updating page > metadata or should it be removed? > > The conclusion of our conversation was pretty simple. YAML would have to go unless there is a fix, and JSON would be used instead. I hate to see that happen, but there isn't much I can do about it other then ask for a fix. If you'd like to help define what "safe yaml" means, there's a ticket here: https://github.com/tenderlove/psych/issues/119
on 2013-01-18 19:36
Issue #7677 has been updated by trans (Thomas Sawyer). I added my concept of it to the issue (https://github.com/tenderlove/psych/issues/119). Thanks. By the way, the title of this issue should say "does NOT instantiate". Sorry. ---------------------------------------- Feature #7677: YAML load mode that does instantiate Ruby https://bugs.ruby-lang.org/issues/7677#change-35478 Author: trans (Thomas Sawyer) Status: Open Priority: Normal Assignee: Category: lib Target version: next minor See https://makandracards.com/makandra/892-never-use-y... I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate `!ruby/object:` tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.
on 2013-02-22 01:23
Issue #7677 has been updated by ko1 (Koichi Sasada). Assignee set to tenderlovemaking (Aaron Patterson) ---------------------------------------- Feature #7677: YAML load mode that does instantiate Ruby https://bugs.ruby-lang.org/issues/7677#change-36748 Author: trans (Thomas Sawyer) Status: Open Priority: Normal Assignee: tenderlovemaking (Aaron Patterson) Category: lib Target version: next minor See https://makandracards.com/makandra/892-never-use-y... I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate `!ruby/object:` tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.