Oh. This can't be good. I better audit stuff.
-
-
-
Just patch the language runtimes/stdlibs to remove the code-exec support from their yaml implementations and be done with it. If you want to be nice, file bug reports for software that breaks.
-
This is just like the XML external entity/dtd crap except worse. Anything relying on this broken-by-design functionality is a bug.
-
Yeah. Of course the first step is to get the facts straight. Something this common and basic could cause a leftpad level of breakage. I'd be quite interested to know the affected yaml implementations. Is there a CVE?
-
Not that I'm aware of. The linked article is a starting point I guess. Probably need to read the spec too and figure out what this hideous construct is...
- 2 more replies
New conversation -
-
-
i thought this was well-known, like the security implications of Python's Pickle or Ruby's Marshal i'm not saying it's good (tutorials need to stop recommending Pickle for a start!), just assumed that most people knew about it
-
It's not. Data formats that embed code code to be executed in the privilege context of the processing user are SO far across the line of what's acceptable you just assume it wouldn't happen in anything but ancient legacy formats (eg Word macros).
-
my experience in the Ruby community is that YAML is touted as the interoperable equivalent of Python's Pickle or Ruby's Marshal, in that it magically serializes and deserializes arbitrary objects (and brings security risks with that)
-
"Deserializes arbitrary objects" is a bug in itself, but IME yaml is just an obnoxious alternative *data format* to json and xml, containing untrusted data, not a pickle-hell-wannabe.
-
understood, but i'm talking about my experience in terms of the Ruby community. although that perspective of YAML is clearly influenced by the dangerous API design (i.e. load/safe_load instead of unsafe_load/load)
End of conversation
New conversation -
-
-
-
YAML is the source of many of my gray hairs. I much prefer TOML.
-
I blame yaml for my ansible initiative to land flat on the face
End of conversation
New conversation -
-
-
they should just rebrand to yapl
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.