sinatra / rack-protection

NOTE: This project has been merged upstream to sinatra/sinatra
https://github.com/sinatra/sinatra/tree/master/rack-protection
818 stars 58 forks source link

Detect and reject Ruby objects sent in YAML format #43

Closed brynary closed 10 years ago

brynary commented 11 years ago

In light of the YAML security issues, my proposal is that rack-protect detect the presence of Ruby objects serialized as YAML (can look for !ruby I think), and rejects the request.

Thoughts?

rkh commented 11 years ago

This would be possible if the request Content-Type is set properly, I guess. Unless we start parsing XML though, this would not have prevented the attack on rails and even then not the one on RubyGems.org. I haven't seen many APIs that support posting YAML to it directly, tbh.

brynary commented 11 years ago

Could we be more general and just grep the entire request-as-a-string? It could be hidden in a header value, for example.

This would be a defense-in-depth measure against another vulnerability deeper in the stack, and also an early warning tripwire if you are under attack.

rkh commented 11 years ago

So block anything that contains the string !ruby?

brynary commented 11 years ago

"--- !ruby" maybe

On Thu, Jan 31, 2013 at 4:31 PM, Konstantin Haase notifications@github.comwrote:

So block anything that contains the string !ruby?

— Reply to this email directly or view it on GitHubhttps://github.com/rkh/rack-protection/issues/43#issuecomment-12967001.

rkh commented 11 years ago

No, that won't do it. You can place the object in an array or hash.

brynary commented 11 years ago

Ah, yeah then I think it would have to be "!ruby"

On Thu, Jan 31, 2013 at 4:59 PM, Konstantin Haase notifications@github.comwrote:

No, that won't do it. You can place the object in an array or hash.

— Reply to this email directly or view it on GitHubhttps://github.com/rkh/rack-protection/issues/43#issuecomment-12968277.

mkristian commented 11 years ago

I think the best way to protect you application from "unsafe" yaml is adding https://github.com/dtao/safe_yaml to your project. what about XML and JSON - do your parsers for this allow object instantiation like yaml ?

just my 2 cents . . .