Project

General

Profile

Actions

Feature #7677

closed

YAML load mode that does instantiate Ruby

Added by trans (Thomas Sawyer) almost 12 years ago. Updated over 11 years ago.

Status:
Closed
Target version:
[ruby-core:51329]

Description

See https://makandracards.com/makandra/892-never-use-yaml-load-with-user-input

I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate !ruby/object: tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.


Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #7780: Marshal & YAML should deserialize only basic types by default.Closedmatz (Yukihiro Matsumoto)Actions

Updated by Anonymous almost 12 years ago

On Wed, Jan 09, 2013 at 11:40:04AM +0900, trans (Thomas Sawyer) wrote:

Issue #7677 has been reported by trans (Thomas Sawyer).


Feature #7677: YAML load mode that does instantiate Ruby
https://bugs.ruby-lang.org/issues/7677

Author: trans (Thomas Sawyer)
Status: Open
Priority: Normal
Assignee:
Category: lib
Target version: next minor

See https://makandracards.com/makandra/892-never-use-yaml-load-with-user-input

I suggest that YAML.load and YAML.load_file have an optional mode that will allow the YAML to load but not instantiate !ruby/object: tags, nor any registered tags. To go with this there could be a way to see what the tag is after having been loaded.

Use Psych.parse, then you can inspect the AST.

--
Aaron Patterson
http://tenderlovemaking.com/

Updated by trans (Thomas Sawyer) almost 12 years ago

=begin
Is that a viable option for general usage?

Let me give an example of where this issue becomes a problem. I received an email a couple of days ago:

You may have read about the recent Rails security issue. I had no idea
YAML.load enabled remote code execution when given user input.

The same problem is in Gollum as a result of your page metadata pull
request that I approved. I had to disable it in Gollum today and
released 2.4.11 with the fix. Do you think it's worth updating page
metadata or should it be removed?

The conclusion of our conversation was pretty simple. YAML would have to go unless there is a fix, and JSON would be used instead. I hate to see that happen, but there isn't much I can do about it other then ask for a fix.

Some links related to this:

=end

Updated by Anonymous almost 12 years ago

On Fri, Jan 11, 2013 at 12:05:36AM +0900, trans (Thomas Sawyer) wrote:

Issue #7677 has been updated by trans (Thomas Sawyer).

=begin
Is that a viable option for general usage?

Let me give an example of there where this issue becomes a problem. I received an email a couple of days ago:

You may have read about the recent Rails security issue. I had no idea
YAML.load enabled remote code execution when given user input.

YAML.load does not enable remote code execution. You must use it in
conjunction with some other object that does something dangerous with
it. In the case of Rails, that would be module_eval:

https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/routing/route_set.rb#L188-200

Any serialization scheme that will allow custom objects could be
impacted in the same way. It has to be serialization scheme PLUS some
dangerous operation.

The same problem is in Gollum as a result of your page metadata pull
request that I approved. I had to disable it in Gollum today and
released 2.4.11 with the fix. Do you think it's worth updating page
metadata or should it be removed?

The conclusion of our conversation was pretty simple. YAML would have to go unless there is a fix, and JSON would be used instead. I hate to see that happen, but there isn't much I can do about it other then ask for a fix.

If you'd like to help define what "safe yaml" means, there's a ticket
here:

https://github.com/tenderlove/psych/issues/119

--
Aaron Patterson
http://tenderlovemaking.com/

Updated by trans (Thomas Sawyer) almost 12 years ago

I added my concept of it to the issue (https://github.com/tenderlove/psych/issues/119).

Thanks.

By the way, the title of this issue should say "does NOT instantiate". Sorry.

Updated by ko1 (Koichi Sasada) over 11 years ago

  • Assignee set to tenderlovemaking (Aaron Patterson)

Updated by tenderlovemaking (Aaron Patterson) over 11 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

Psych.safe_load method has been introduced, which should deal with this issue. Thanks!

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0