From: Aaron Patterson <tenderlove@...>
Date: 2013-01-14T10:41:41+09:00
Subject: [ruby-core:51413] Re: [ruby-trunk - Feature #7677] YAML load mode that does instantiate Ruby

On Fri, Jan 11, 2013 at 12:05:36AM +0900, trans (Thomas Sawyer) wrote:
> 
> Issue #7677 has been updated by trans (Thomas Sawyer).
> 
> 
> =begin
> Is that a viable option for general usage?
> 
> Let me give an example of there where this issue becomes a problem. I received an email a couple of days ago:
> 
>   You may have read about the recent Rails security issue. I had no idea
>   YAML.load enabled remote code execution when given user input.

YAML.load does not enable remote code execution.  You *must* use it in
conjunction with some other object that does something dangerous with
it.  In the case of Rails, that would be module_eval:

  https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/routing/route_set.rb#L188-200

Any serialization scheme that will allow custom objects could be
impacted in the same way.  It has to be serialization scheme PLUS some
dangerous operation.

>   The same problem is in Gollum as a result of your page metadata pull
>   request that I approved. I had to disable it in Gollum today and
>   released 2.4.11 with the fix. Do you think it's worth updating page
>   metadata or should it be removed?
> 
> The conclusion of our conversation was pretty simple. YAML would have to go unless there is a fix, and JSON would be used instead. I hate to see that happen, but there isn't much I can do about it other then ask for a fix.

If you'd like to help define what "safe yaml" means, there's a ticket
here:

  https://github.com/tenderlove/psych/issues/119

-- 
Aaron Patterson
http://tenderlovemaking.com/