Localeapp::PotentiallyInsecureYaml
bitboxer opened this issue · 14 comments
I am currently seeing the Localeapp::PotentiallyInsecureYaml exception when I try to start my app. After digging into the code I saw that Localeapp prevents the loading of the YAML because
it contains the !ruby string:
---
!ruby/sym polled_at: 1401024918
!ruby/sym updated_at: 1401024918%
This is totally valid YAML code[1]. Can you explain me what is happening there?
Hi @bitboxer YAML with !ruby is valid, but it’s a security risk. You can read more about it here: http://tenderlovemaking.com/2013/02/06/yaml-f7u12.html
I know that this can be bad. But that file is created by your lib
You can set config option raise_on_insecure_yaml: false to turn it off.
Can't we find a solution why this is generated that way instead of this workaround?
Yes, pull requests are always welcome.
Ehm...thanks....
Hi @bitboxer, terribly sorry about the previous comment, that's not cool at all.
Can you give us some info about your environment specifically your ruby version. Also any info about how you're using the gem would be useful (eg. using the daemon, running commands manually etc..).
Do you still have that same file format after running a localeapp pull?
Again, I apologize for inappropriate comment above.
Chris
Yes, it has the same format. Currently I am using
ruby 2.0.0p481 (2014-05-08 revision 45883) [x86_64-darwin13.2.0]
And the project I am using it in is this: https://github.com/hacken-in/website
The localeapp is in the initializer and pulls the stuff from there. So no deamon right now. Should I try the deamonized version?
@bitboxer I tried to clone your repo but was unable to do a clean slate install (normal and VM) so I tried instead to reproduce your issues with a new Rails app.
The log/localeapp.yml content you describe seems to use the old Psych format. It should look something like this.
---
:polled_at: 1401197373
:updated_at: 1401195645The question is here how it came to look like the way you describe:
---
!ruby/sym polled_at: 1401024918
!ruby/sym updated_at: 1401024918%I notice that above format made stuff go wild (similar to your stack trace in hacken-in/hacken-in#383) -even unable to start the app. localeapp pull didn't seem to update it, so it's Psych format has to be ..hmm.. updated manually by the time of writing.
Its within your .gitignore so can you check mod date of log/localeapp.yml so I may be able to backtrace when this might had that type of Psych format etc.
Also can you test this from your apps rails c to validate that no other yaml parser within your system might tamper with the format:
{ polled_at: 0, updated_at: 0 }.to_yaml
# => "---\n:polled_at: 0\n:updated_at: 0\n"If the YAML was generated for string keys instead of symbols, we wouldn't have to worry about this problem at all.
The functionality using this seems to be very bound to current Psych format, changing to:
{ 'polled_at' => 0, 'updated_at' => 0 }.to_yaml
#=> "---\npolled_at: 0\nupdated_at: 0\n"Will create yaml format like this:
---
polled_at: 1401197373
updated_at: 1401195645But will affect calls like synchronization_data[:updated_at] which in turn has to be updated. So if it was changed in the gem I still wonder if it might affect anyone with previous :polled_at: format from hash keys ( plus those still with "old" !ruby/sym polled_at: ).
You could just change the serialization/deserialization and than nothing within the gem has to be changed.
I just done with a pull request for this, ..waiting for Travis final word. It will make it possible now to update the log/localeapp.yml when running localeapp pull so it's converted to correct YAML format and never break the app because of this. It also bypass Localeapp::PotentiallyInsecureYaml because the log file is just stored as YAML and has really nothing to do with the locales format.