petems / tugboat

A command line tool for interacting with your DigitalOcean droplets.
MIT License
1.45k stars 89 forks source link

Arbitrary Code Injection Or Denial Of Service (DoS) Through Unsafe Middleware in petems/tugboat (master) #272

Closed petems closed 7 years ago

petems commented 7 years ago

Arbitrary Code Injection Or Denial Of Service (DoS) Through Unsafe Middleware in petems/tugboat (master)

Issue Details

Issue Decription

faraday_middleware is vulnerable to arbitrary code injection or denial of service attacks. It is possible when it uses YAML.load() by default to load resources from untrusted sources or over HTTP. YAML.load() is not safe against DoS and arbitrary code injection if it uses a Psych version that supports it.

View more details