anthonywoo
commented
11 months ago there are no other usages of this method ?
I couldn't find any other usages where the stream content can come from an untrusted source
Closed anthonywoo closed 10 months ago
anthonywoo
commented
11 months ago there are no other usages of this method ?
I couldn't find any other usages where the stream content can come from an untrusted source
grosser
commented
11 months ago don't worry about bundle_audit that can be another PR
Note: Samson is a public repo, do not include Zendesk-internal information, urls, etc.
Using YAML.load_stream is unsafe and allows instantiating arbitrary classes which may lead to remote code execution (RCE)
I had to use multiple streams because Samson needs to support multiple documents in a single yaml file
References
Risks