Skip to content

Instantly share code, notes, and snippets.

@nelhage

nelhage/make_yaml_safe.rb

Last active Dec 11, 2015
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
make_yaml_safe.rb
# The canonical version of this file lives at <https://gist.github.com/4507129>. Sorry for the redundant posts.
@postmodern

This comment has been minimized.

Sign in to view
Copy link

@postmodern postmodern commented Jan 29, 2013

Confirmed this stops the PoC exploit:

Psych::UnsafeYAML (Found node with tag: !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection):
  config/initializers/make_yaml_safe.rb:48:in `check_node'
  config/initializers/make_yaml_safe.rb:29:in `check_safety'
  config/initializers/make_yaml_safe.rb:37:in `check_safety'
  config/initializers/make_yaml_safe.rb:23:in `load'
@postmodern

This comment has been minimized.

Sign in to view
Copy link

@postmodern postmodern commented Jan 29, 2013

Would be nice if there was a safe-mode for YAML, so developers could choose whether they want to load arbitrary objects or only primitives.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.