Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rails YAML vuln.

Rails YAML vuln.

Quick presentation on the YAML vuln and the impact on a Rails application.
Made at : http://rubybdx.org/

Damian Le Nouaille

February 06, 2013

More Decks by Damian Le Nouaille

Other Decks in Programming


  1. “This is a VULN” “No, this is a feature.” YAML

    allows us to represent ruby objects directly
  2. YAML creates objects. With code execution on “[]=” (and more

    methods) Is there a Rails class with that ?
  3. Back to Rails. Let’s create a YAML string : ---

    !ruby/ hash:ActionController::Routing::RouteSet::NamedRouteCollection ? #{encoded_payload} : !ruby/struct defaults: :action: create :controller: foos required_parts: [] requirements: :action: create :controller: foos segment_keys: - :format
  4. Rails will deserialize the params[], the XML, the YAML, and

    will execute the payload. ... without 500 errors.
  5. NOT a Rails problem. It’s a YAML feature. Ok ...

    Rails problem too. UPGRADE to 3.2.11