Skip to content

Commit

Permalink
security issue ruby/psych#119
Browse files Browse the repository at this point in the history
  • Loading branch information
bbenezech committed Feb 6, 2013
1 parent 5265c9d commit 3cc862d
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 22 deletions.
2 changes: 0 additions & 2 deletions .rspec
Original file line number Diff line number Diff line change
@@ -1,4 +1,2 @@
--color
--fail-fast
--order random
--profile
26 changes: 11 additions & 15 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,24 +30,20 @@ Hoeven][plukevdh], and [Rein Henrichs][reinh].

## Announcements

RailsAdmin model configuration is now lazy loaded.
### [Action required] Security issue

```ruby
config.model 'Team' do
...
end

# or
class Team
rails_admin do
...
end
end
```
`RailsAdmin::Config::Fields::Types::Serialized#parse_input` was unsafe, because it was using the infamous `YAML#load`.

To fix this, RailsAdmin now uses [safe_yaml](https://github.com/dtao/safe_yaml), with `enable_arbitrary_object_deserialization` and `suppress_warnings` on, for maximum compatibity with all existing apps.

If you want to load safely YAML in your own app, you can use `YAML.load(something, safe: true)`

If you use Serialized with RailsAdmin with non-totally-trusted users, your server is at risk. Update your gem to `> 0.4.3` (should be released any time soon) or to a [patched commit]()

Rails3.0 and other branches may be at risk too, I strongly suggest to not use those any more.

won't load the Team model.
More information about the whole drama [here](https://github.com/tenderlove/psych/issues/119).

Incidentally, you are only allowed one configuration block per model.

## Features

Expand Down
2 changes: 1 addition & 1 deletion lib/rails_admin/config/fields/types/serialized.rb
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ class Serialized < RailsAdmin::Config::Fields::Types::Text
end

def parse_input(params)
params[name] = (params[name].blank? ? nil : YAML.load(params[name])) if params[name].is_a?(::String)
params[name] = (params[name].blank? ? nil : YAML.load(params[name], :safe => true)) if params[name].is_a?(::String)
end
end
end
Expand Down
4 changes: 4 additions & 0 deletions lib/rails_admin/engine.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@
require 'nested_form'
require 'rails_admin'

require 'safe_yaml'
YAML.enable_arbitrary_object_deserialization!
SafeYAML::OPTIONS[:suppress_warnings] = true

module RailsAdmin
class Engine < Rails::Engine
isolate_namespace RailsAdmin
Expand Down
9 changes: 5 additions & 4 deletions rails_admin.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,20 @@ require File.expand_path('../lib/rails_admin/version', __FILE__)

Gem::Specification.new do |spec|
# If you add a dependency, please maintain alphabetical order
spec.add_dependency 'nested_form', '~> 0.3'
spec.add_dependency 'sass-rails', '~> 3.1'
spec.add_dependency 'bootstrap-sass', '~> 2.2'
spec.add_dependency 'font-awesome-sass-rails', ['~> 3.0', '>= 3.0.0.1']
spec.add_dependency 'jquery-ui-rails', '~> 3.0'
spec.add_dependency 'builder', '~> 3.0'
spec.add_dependency 'coffee-rails', '~> 3.1'
spec.add_dependency 'font-awesome-sass-rails', ['~> 3.0', '>= 3.0.0.1']
spec.add_dependency 'haml', '~> 3.1'
spec.add_dependency 'jquery-rails', '~> 2.1'
spec.add_dependency 'jquery-ui-rails', '~> 3.0'
spec.add_dependency 'kaminari', '~> 0.14'
spec.add_dependency 'nested_form', '~> 0.3'
spec.add_dependency 'rack-pjax', '~> 0.6'
spec.add_dependency 'rails', '~> 3.1'
spec.add_dependency 'remotipart', '~> 1.0'
spec.add_dependency 'safe_yaml', '~> 0.6'
spec.add_dependency 'sass-rails', '~> 3.1'
spec.authors = ["Erik Michaels-Ober", "Bogdan Gaza", "Petteri Kaapa", "Benoit Benezech"]
spec.description = %q{RailsAdmin is a Rails engine that provides an easy-to-use interface for managing your data.}
spec.email = ['sferik@gmail.com', 'bogdan@cadmio.org', 'petteri.kaapa@gmail.com']
Expand Down

0 comments on commit 3cc862d

Please sign in to comment.