This document summarizes several vulnerabilities that affected Ruby on Rails applications in early 2013. It describes 4 SQL injection vulnerabilities in January, an unsafe query generation issue in January, and an XML deserialization of YAML vulnerability in January that could allow remote code execution. It warns that YAML can be deserialized to objects and discusses eval usage. It provides recommendations to stay up-to-date on Rails security updates, sign up for security mailing lists, use strong parameters, and sanitize inputs to applications.

1. YAML is the new eval
09.02.2013 @rug_b
@plexus
github/arnebrasseur

2. You
Need to think about security

4. I'm a Rails developer

5. I'm a Rails developer
I'm not a security expert

6. I'm a Rails developer
I'm not a security expert
That's the point

7. “You Should Be At
Defcon 2 For Most
Of February”
http://bit.ly/you_will_be_compromised

8. §
“Security”

9. Many aspects
confidentiality, integrity,
availability, authenticity

10. gem “security” ?

12. Emergent Property
It's not a feature

13. Infinity Maxim
Limitless vulnerabilities, most
unknown

14. Trade off
No such thing as 100% secure

15. Ignorance is bliss
If you believe you're safe,
You can assume you're not.

16. Attack Surface
Your outer shell

17. Least Authority
Can't break what you can't reach

18. Constrained code

19. Positive security
Whitelist vs Blacklist

20. §
Rails Security

22. "secure by default"
XSS, CSRF, sql escaping, etc.

23. Tasty Magic
Programmer happiness

24. “People who use magic without knowing
what they are doing usually come to a sticky end.
All over the entire room, sometimes.”
~ Terry Pratchett

25. §
What
happened?

26. 4 x Rails Vulnerability
Rubygems Hacked
Bonus : MySQL “feature”

27. Jan 2
CVE-2012-5664
SQL Injection Vulnerability

28. Post.find_by_id(id, opts = {})
Plain Old Dynamic Finder
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

29. Post.find_by_id(:select => sql)
I Can Haz Inject SQL?
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

30. Post.find_by_id(params[:id])
I Can Haz Inject SQL?
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

31. HashWithIndifferentAccess
Post.find_by_id(params[:id])
I Can Haz Inject SQL?
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

32. Exploitable?
Probably, but not trivially
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

33. AuthLogic
User.find_by_persistence_token(token)
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

34. CookieStore
session[:token] = {:select => “foo; DROP TABLE… ; --”}
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

35. config.session.key
Do you know where your session key is
at 4 o'clock in the morning?
Jan 2
CVE-2012-5664
SQL Injection Vulnerability

36. Jan 8
CVE-2013-0155
Unsafe Query Generation

37. Foo.find_by_bar( [ nil ] )
JSON or XML payload
Result
Jan 8
CVE-2013-0155
Unsafe Query Generation

38. Jan 8
CVE-2013-0155
Unsafe Query Generation

39. Jan 14
CVE-2013-0156
XML will deserialize YAML

40. THE BIG ONE
Who thought YAML in XML was a good idea anyway?
Jan 14
CVE-2013-0156
XML will deserialize YAML

41. Never trust YAML
!ruby/hash:I::Am::In::Your::Objects
!ruby/object:Setting::Your::Ivars
Jan 14
CVE-2013-0156
XML will deserialize YAML

42. !ruby/hash
Calls #[]=
Jan 14
CVE-2013-0156
XML will deserialize YAML

43. !ruby/object
Calls instance_variable_set
Jan 14
CVE-2013-0156
XML will deserialize YAML

44. ActionController::Routing::
RouteSet::NamedRouteCollection
def add(name, route)
define_named_route_methods(name, route)
end
alias []= add
def define_url_helper(route, name, kind, options)
@module.module_eval <<-END
def #{name}_#{kind}(*args)
Jan 14
options = hash_for_#{name}_#{kind}(args.extract_options!)
CVE-2013-0156
XML will deserialize YAML

45. EVAL ALL THE THINGS
$ rails new myapp ; cd myapp ; bundle install
$ cd `rvm gemdir`/gems
$ egrep -r '(module_eval|instance_eval|class_eval)' . | wc -l
321
$ egrep -r '(module_eval|instance_eval|class_eval)' . | sed 's//.*//' | uniq -c | sort -n
62 activesupport-3.2.11
50 erubis-2.7.0
38 actionpack-3.2.11
24 activerecord-3.2.11
19 railties-3.2.11
Jan 14
CVE-2013-0156
XML will deserialize YAML

46. Jan 28
CVE-2013-0333
Vulnerability in JSON Parser
in Ruby on Rails 3.0 and 2.3

47. Only 3.0 and 2.3
Jan 28
CVE-2013-0333
JSON parsed as YAML

48. JSON is YAML
True story
Jan 28
CVE-2013-0333
JSON parsed as YAML

49. Jan 30
Rubygems Hacked
Gemspecs are … YAML

50. Jan 14
CVE-2013-0156
XML will deserialize YAML

51. Feb 7
Bonus Level
SELECT 0 = “foo”; # => true

53. §
Practical

55. Are you up-to-date?
Rails 3.2 / 3.1 get security updates
Rails 2.3 for severe security issues
Ruby 1.8 is End of Life June 2013

56. What now?
Sign up to the security mailing list

57. What now?
Read the Rails Guide on Security

58. GET routes don't check CSRF token
match 'user/reset/:id' => 'user#reset', :via => :put

59. attr_accessible
even better : strong_parameters
params.require(:person).permit(:name, :age)
params.permit(:name, { :emails => [ ] }

60. Careful with to_json in templates
<script>
Accounts.reset(<%= raw @accounts.to_json %>);
</script>

61. Careful with to_json in templates
<script>
Accounts.reset([{name: "</script><script>alert('xss')</script>", ...}]);
</script>

62. Escaped by default in Rails 4
ActiveSupport::JSON::Encoding.escape_html_entities_in_json = true
There are other solutions as well
● json_escape
● data-* attributes

63. Regexp Anchors
“some@email.comn'; I AM IN YOUR SQLZ ; --” =~ /^...$/

64. Use A and z
$ : beginning of line
^ : end of line
A : beginning of string
z : end of string
Z : ignores final newline

65. SafeYAML
Will probably become part of Psych

66. Brakeman
Static security analysis for Rails apps

67. Sanitize Your Inputs
Distrust params, cookies and request

68. Thank you!
Twitter : @plexus
Github : arnebrasseur