tag:blogger.com,1999:blog-8508344381521415235.post4026524067438086349..comments2024-02-10T02:19:53.889-08:00Comments on Egor Homakov: Rails Vulnerabilities: Learning The Lessonhomakovhttp://www.blogger.com/profile/10492045246792330280noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8508344381521415235.post-54828769931113907102013-02-11T13:44:52.256-08:002013-02-11T13:44:52.256-08:00Great post buddy :)Great post buddy :)Nir Goldshlagerhttps://www.blogger.com/profile/05298271702219810586noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-82703746009964422222013-02-11T13:22:05.859-08:002013-02-11T13:22:05.859-08:00cannot share your point.. yes, Yaml could do bette...cannot share your point.. yes, Yaml could do better job educating developers but "Don't let YAML.load close to any user input" wasn't too obvious for me. At least I could not imagine RCE through it (DoS - yes)<br /><br /><br />After all rails ecosystem is a network of different gems. We cannot blame rails because it is the central and most known gem. Rails is a glue.<br />i can blame rails though for its magic methods, and attack surface.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-39614121494269583652013-02-11T13:00:15.989-08:002013-02-11T13:00:15.989-08:00> P.S. don't blame Rails again. You can bla...> P.S. don't blame Rails again. You can blame rails for mass assignment (i'm kidding, blame yourself for this), but for RCEs - blame JSON/YAML gems. So far, Rails itself is pretty safe.<br /><br />Seriously? I always thought that "Don't let YAML.load close to any user input" was common Ruby knowledge. Just like "(Nearly) always use \A\z instead of ^$". I mean, even I, who never wrote a single line of Ruby code in my life, know this stuff.<br /><br />I know, the multiline option for regular expressions is Ruby's fault (a really, really, really bad choice) and YAML might have done a better job at educating people that it's a fully-fledged serialization format and not just some key-value store.<br /><br />But in the end it's Rails fault for using them the way it did.<br /><br />Really, this is not intended as bashing against Rails (every software has vulnerabilities), but I think blaming all these vulns on "the others" is disingenuous.nikichttp://nikic.github.comnoreply@blogger.com