This is why Katello CI is failing at the moment: Psych::DisallowedClass: Tried to load unspecified class: `load' So neither changing RubyGems nor changing to a different serialization scheme (like Marshal) would plug this hole. Also worth mentioning that anything that can be used to load arbitrary objects (like `Marshal.load`) can be abused in the same way. Of course the drawback is that "safe_load" is much more limited than "load", and making this change could break existing code.Īlso it's probably worth mentioning that the YAML load functions could be used with other objects in the system besides RubyGems to escalate to an RCE. The proposal here is to change the default such that "load" is now "safe_load". Psych provides a method called "safe_load" which can't be used to launch such an attack. If someone tries to load YAML from an untrusted source, bad actors could use this issue to execute arbitrary code in the target system. () goes in to details about how YAML can be used in conjunction with RubyGems to execute arbitrary code. The problem isn't with the load functions themselves, but they can be used to abuse other objects that are in the system to escalate to an RCE. `Psych.load` or `YAML.load` are susceptible to a Remote Code Execution (or RCE) flaw. That want to parse trusted data can use Psych.unsafe_load. This commit changes the default `Psych.load` to use `safe_load`. Too manyĪpplications make … the mistake of using `Psych.load` with untrusted dataĪnd that ends up with some kind of security vulnerability. Psych.load is not safe for use with untrusted data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |