More Related Content Similar to YAML is the new Eval Similar to YAML is the new Eval (18) YAML is the new Eval1. YAML is the new eval
09.02.2013 @rug_b
@plexus
github/arnebrasseur
6. I'm a Rails developer
I'm not a security expert
That's the point
7. “You Should Be At
Defcon 2 For Most
Of February”
http://bit.ly/you_will_be_compromised
24. “People who use magic without knowing
what they are doing usually come to a sticky end.
All over the entire room, sometimes.”
~ Terry Pratchett
26. 4 x Rails Vulnerability
Rubygems Hacked
Bonus : MySQL “feature”
38. Jan 8
CVE-2013-0155
Unsafe Query Generation
40. THE BIG ONE
Who thought YAML in XML was a good idea anyway?
Jan 14
CVE-2013-0156
XML will deserialize YAML
45. EVAL ALL THE THINGS
$ rails new myapp ; cd myapp ; bundle install
$ cd `rvm gemdir`/gems
$ egrep -r '(module_eval|instance_eval|class_eval)' . | wc -l
321
$ egrep -r '(module_eval|instance_eval|class_eval)' . | sed 's//.*//' | uniq -c | sort -n
62 activesupport-3.2.11
50 erubis-2.7.0
38 actionpack-3.2.11
24 activerecord-3.2.11
19 railties-3.2.11
Jan 14
CVE-2013-0156
XML will deserialize YAML
47. Only 3.0 and 2.3
Jan 28
CVE-2013-0333
JSON parsed as YAML
50. Jan 14
CVE-2013-0156
XML will deserialize YAML
55. Are you up-to-date?
Rails 3.2 / 3.1 get security updates
Rails 2.3 for severe security issues
Ruby 1.8 is End of Life June 2013
58. GET routes don't check CSRF token
match 'user/reset/:id' => 'user#reset', :via => :put
60. Careful with to_json in templates
<script>
Accounts.reset(<%= raw @accounts.to_json %>);
</script>
61. Careful with to_json in templates
<script>
Accounts.reset([{name: "</script><script>alert('xss')</script>", ...}]);
</script>
62. Escaped by default in Rails 4
ActiveSupport::JSON::Encoding.escape_html_entities_in_json = true
There are other solutions as well
● json_escape
● data-* attributes
64. Use A and z
$ : beginning of line
^ : end of line
A : beginning of string
z : end of string
Z : ignores final newline