Closed basilgohar closed 8 years ago
Ran quick experiment and it seems they can get away with just regular strings, so I can probably remove the part about "Ruby symbols" in the comments.
As for the arbitrary code, I believe when Ruby loads a YAML file it can run some arbitrary code used for creating objects. But as root
owns both the config and the actual code, if root
was malicious it would be easier to alter the actual code instead. This is the same as running arbitrary Lua code in the Apache config.
I realize this is in a configuration file, but what can happen if they express these differently? What if they put arbitrary "code" in here – will it get executed, or is there some form of checking when these are passed-in?