Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deserilization of Untrusted data #207

Closed
wants to merge 1 commit into from
Closed

Deserilization of Untrusted data #207

wants to merge 1 commit into from

Conversation

bhaskarvilles
Copy link

@bhaskarvilles bhaskarvilles commented Apr 11, 2022
edited
Loading

Signed-off-by: Bhaskar [email protected]

Unsanitized input from an HTTP parameter flows into YAML.load], where it is used to deserialize an object. This may result in an Unsafe Deserialization vulnerability.

Data flow :

5 steps in 1 file

  1. params (source)
  2. params
  3. params["map_path"]
  4. File.read(params["map_path"])
  5. YAML.load(File.read(params["map_path"]))

mmguero added a commit to mmguero-dev/Malcolm that referenced this pull request Apr 11, 2022
@mmguero
ensure safe loading of YAML in ruby code called from Logstash by usin…
0b4551f 
…g YAML.strict_load instead of YAML.load (see cisagov#207)
@bhaskarvilles
Copy link
Author

@mmguero you've already changed yaml loading already, can i close my pull request now ?

@mmguero
Copy link
Collaborator

mmguero commented Apr 12, 2022

Thanks, I've made the change in my development path and will get it merged in on the next patch release.

@mmguero mmguero closed this Apr 12, 2022
mmguero added a commit to mmguero-dev/Malcolm that referenced this pull request Apr 12, 2022
@mmguero
it appears strict_load was renamed safe_load in a recent version of t…
b1b273e 
…he YAML gem. related to 0b4551f, ensure safe loading of YAML in ruby code called from Logstash by using YAML.strict_load instead of YAML.load (see cisagov#207)
mmguero added a commit to mmguero-dev/Malcolm that referenced this pull request Apr 12, 2022
@mmguero
it appears strict_load was renamed safe_load in a recent version of t…
da71429 
…he YAML gem. related to 0b4551f, ensure safe loading of YAML in ruby code called from Logstash by using YAML.strict_load instead of YAML.load (see cisagov#207)
This was referenced Apr 27, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bhaskarvilles @mmguero