From 073bac6047dcfa1762024f05ef872a00fc57e8cb Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Tue, 22 Jan 2013 15:18:46 -0600 Subject: [PATCH 1/6] using sane_yaml to prevent code execution --- Gemfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Gemfile b/Gemfile index e45e65f8..c8363711 100644 --- a/Gemfile +++ b/Gemfile @@ -1,2 +1,5 @@ source :rubygems + +gem 'sane_yaml', :path => 'vendor/internal-gems/sane_yaml-0.1' + gemspec From 799c997b451230544af160f0acb40fc076305855 Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Tue, 22 Jan 2013 15:21:10 -0600 Subject: [PATCH 2/6] adding gem --- vendor/internal-gems | 1 + 1 file changed, 1 insertion(+) create mode 160000 vendor/internal-gems diff --git a/vendor/internal-gems b/vendor/internal-gems new file mode 160000 index 00000000..349537c4 --- /dev/null +++ b/vendor/internal-gems @@ -0,0 +1 @@ +Subproject commit 349537c4cb9acc27586979d6f049a1a2c45fe986 From c85d834036249c24d526781fbfc63c3692465c6e Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Wed, 23 Jan 2013 11:07:44 -0600 Subject: [PATCH 3/6] lets try this differently --- Gemfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Gemfile b/Gemfile index c8363711..e45e65f8 100644 --- a/Gemfile +++ b/Gemfile @@ -1,5 +1,2 @@ source :rubygems - -gem 'sane_yaml', :path => 'vendor/internal-gems/sane_yaml-0.1' - gemspec From 1528cfe1cdfe96bcbd4a0caf02dcf6ba0faed813 Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Wed, 23 Jan 2013 11:30:24 -0600 Subject: [PATCH 4/6] adding safe_yaml to protect against object instantiation from yaml --- jekyll.gemspec | 1 + lib/jekyll.rb | 2 +- lib/jekyll/migrators/drupal.rb | 2 +- lib/jekyll/migrators/joomla.rb | 2 +- lib/jekyll/migrators/marley.rb | 2 +- lib/jekyll/migrators/mt.rb | 2 +- lib/jekyll/migrators/rss.rb | 2 +- lib/jekyll/migrators/textpattern.rb | 2 +- lib/jekyll/migrators/typo.rb | 2 +- lib/jekyll/migrators/wordpress.rb | 2 +- lib/jekyll/migrators/wordpressdotcom.rb | 2 +- test/test_convertible.rb | 7 +++++++ 12 files changed, 18 insertions(+), 10 deletions(-) diff --git a/jekyll.gemspec b/jekyll.gemspec index 0de0c969..86cbd1e8 100644 --- a/jekyll.gemspec +++ b/jekyll.gemspec @@ -30,6 +30,7 @@ Gem::Specification.new do |s| s.add_runtime_dependency('kramdown', "~> 0.13.4") s.add_runtime_dependency('pygments.rb', "~> 0.3.2") s.add_runtime_dependency('commander', "~> 4.1.3") + s.add_runtime_dependency('safe_yaml', "~> 0.4") s.add_development_dependency('rake', "~> 0.9") s.add_development_dependency('rdoc', "~> 3.11") diff --git a/lib/jekyll.rb b/lib/jekyll.rb index 477247dd..2c1ab0e6 100644 --- a/lib/jekyll.rb +++ b/lib/jekyll.rb @@ -18,7 +18,7 @@ require 'rubygems' # stdlib require 'fileutils' require 'time' -require 'yaml' +require 'safe_yaml' require 'English' # 3rd party diff --git a/lib/jekyll/migrators/drupal.rb b/lib/jekyll/migrators/drupal.rb index 7fd16aef..6acd5de0 100644 --- a/lib/jekyll/migrators/drupal.rb +++ b/lib/jekyll/migrators/drupal.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/joomla.rb b/lib/jekyll/migrators/joomla.rb index 87f1e105..c7e72476 100644 --- a/lib/jekyll/migrators/joomla.rb +++ b/lib/jekyll/migrators/joomla.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This migrator is made for Joomla 1.5 databases. # NOTE: This converter requires Sequel and the MySQL gems. diff --git a/lib/jekyll/migrators/marley.rb b/lib/jekyll/migrators/marley.rb index 21bcead5..3aa74f49 100644 --- a/lib/jekyll/migrators/marley.rb +++ b/lib/jekyll/migrators/marley.rb @@ -1,4 +1,4 @@ -require 'yaml' +require 'safe_yaml' require 'fileutils' module Jekyll diff --git a/lib/jekyll/migrators/mt.rb b/lib/jekyll/migrators/mt.rb index 048c84db..09d89a79 100644 --- a/lib/jekyll/migrators/mt.rb +++ b/lib/jekyll/migrators/mt.rb @@ -5,7 +5,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/rss.rb b/lib/jekyll/migrators/rss.rb index 461abd35..fec3d07c 100644 --- a/lib/jekyll/migrators/rss.rb +++ b/lib/jekyll/migrators/rss.rb @@ -13,7 +13,7 @@ require 'rss/1.0' require 'rss/2.0' require 'open-uri' require 'fileutils' -require 'yaml' +require 'safe_yaml' module Jekyll module MigrateRSS diff --git a/lib/jekyll/migrators/textpattern.rb b/lib/jekyll/migrators/textpattern.rb index 3b370ed9..9eca2530 100644 --- a/lib/jekyll/migrators/textpattern.rb +++ b/lib/jekyll/migrators/textpattern.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/typo.rb b/lib/jekyll/migrators/typo.rb index adb8be96..0bf58456 100644 --- a/lib/jekyll/migrators/typo.rb +++ b/lib/jekyll/migrators/typo.rb @@ -2,7 +2,7 @@ require 'fileutils' require 'rubygems' require 'sequel' -require 'yaml' +require 'safe_yaml' module Jekyll module Typo diff --git a/lib/jekyll/migrators/wordpress.rb b/lib/jekyll/migrators/wordpress.rb index 61e00ad1..8d0ecf71 100644 --- a/lib/jekyll/migrators/wordpress.rb +++ b/lib/jekyll/migrators/wordpress.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/wordpressdotcom.rb b/lib/jekyll/migrators/wordpressdotcom.rb index 286c302f..bf423384 100644 --- a/lib/jekyll/migrators/wordpressdotcom.rb +++ b/lib/jekyll/migrators/wordpressdotcom.rb @@ -3,7 +3,7 @@ require 'rubygems' require 'hpricot' require 'fileutils' -require 'yaml' +require 'safe_yaml' require 'time' module Jekyll diff --git a/test/test_convertible.rb b/test/test_convertible.rb index 82e4d27f..3940f030 100644 --- a/test/test_convertible.rb +++ b/test/test_convertible.rb @@ -29,6 +29,13 @@ class TestConvertible < Test::Unit::TestCase assert_match(/#{File.join(@base, name)}/, out) end + should "not allow ruby objects in yaml" do + out = capture_stdout do + @convertible.read_yaml(@base, 'exploit_front_matter.erb') + end + assert_no_match /undefined class\/module DoesNotExist/, out + end + if RUBY_VERSION >= '1.9.2' should "not parse if there is encoding error in file" do name = 'broken_front_matter3.erb' From d82179048efd172699c2dead9cca42220fa214d8 Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Wed, 23 Jan 2013 11:31:59 -0600 Subject: [PATCH 5/6] adding files --- test/fixtures/exploit_front_matter.erb | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 test/fixtures/exploit_front_matter.erb diff --git a/test/fixtures/exploit_front_matter.erb b/test/fixtures/exploit_front_matter.erb new file mode 100644 index 00000000..604a7ae9 --- /dev/null +++ b/test/fixtures/exploit_front_matter.erb @@ -0,0 +1,4 @@ +--- +test: !ruby/hash:DoesNotExist {} +--- +Real content starts here From d758d424b41d749c2ab12b4d9c2f30f4e3fdcbd5 Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Wed, 23 Jan 2013 17:19:32 -0600 Subject: [PATCH 6/6] deleted junk --- vendor/internal-gems | 1 - 1 file changed, 1 deletion(-) delete mode 160000 vendor/internal-gems diff --git a/vendor/internal-gems b/vendor/internal-gems deleted file mode 160000 index 349537c4..00000000 --- a/vendor/internal-gems +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 349537c4cb9acc27586979d6f049a1a2c45fe986