Closed brynary closed 10 years ago
This would be possible if the request Content-Type is set properly, I guess. Unless we start parsing XML though, this would not have prevented the attack on rails and even then not the one on RubyGems.org. I haven't seen many APIs that support posting YAML to it directly, tbh.
Could we be more general and just grep the entire request-as-a-string? It could be hidden in a header value, for example.
This would be a defense-in-depth measure against another vulnerability deeper in the stack, and also an early warning tripwire if you are under attack.
So block anything that contains the string !ruby
?
"--- !ruby" maybe
On Thu, Jan 31, 2013 at 4:31 PM, Konstantin Haase notifications@github.comwrote:
So block anything that contains the string !ruby?
— Reply to this email directly or view it on GitHubhttps://github.com/rkh/rack-protection/issues/43#issuecomment-12967001.
No, that won't do it. You can place the object in an array or hash.
Ah, yeah then I think it would have to be "!ruby"
On Thu, Jan 31, 2013 at 4:59 PM, Konstantin Haase notifications@github.comwrote:
No, that won't do it. You can place the object in an array or hash.
— Reply to this email directly or view it on GitHubhttps://github.com/rkh/rack-protection/issues/43#issuecomment-12968277.
I think the best way to protect you application from "unsafe" yaml is adding https://github.com/dtao/safe_yaml to your project. what about XML and JSON - do your parsers for this allow object instantiation like yaml ?
just my 2 cents . . .
In light of the YAML security issues, my proposal is that rack-protect detect the presence of Ruby objects serialized as YAML (can look for
!ruby
I think), and rejects the request.Thoughts?