nelhage/make_yaml_safe.rb

Last active December 11, 2015 20:59

Star 1 You must be signed in to star a gist
Fork 0 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/nelhage/4659489.js"></script>
Save nelhage/4659489 to your computer and use it in GitHub Desktop.

Download ZIP

Raw

make_yaml_safe.rb

# The canonical version of this file lives at <https://gist.github.com/4507129>. Sorry for the redundant posts.

postmodern commented Jan 29, 2013

Confirmed this stops the PoC exploit:

Psych::UnsafeYAML (Found node with tag: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection):
  config/initializers/make_yaml_safe.rb:48:in `check_node'
  config/initializers/make_yaml_safe.rb:29:in `check_safety'
  config/initializers/make_yaml_safe.rb:37:in `check_safety'
  config/initializers/make_yaml_safe.rb:23:in `load'

postmodern commented Jan 29, 2013

Would be nice if there was a safe-mode for YAML, so developers could choose whether they want to load arbitrary objects or only primitives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment