Egor Homakov
Postmodern
@homakov it doesn't look like Rails 3.2.9 supports parsing YAML POSTS/PUTS by default. https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/params_parser.rb#L16-L19 …
everyone! MAYDAY! ActionDispatch::ParamsParser::DEFAULT_PARSERS={} http://homakov.blogspot.com/2013/01/rails-security-digest-eli5.html …
-
-
@homakov request.content_mime_type is "application/x-yaml" but action_dispatch.request.request_parameters is always {}. -
@homakov after adding ActionDispatch::ParamsParser::DEFAULT_PARSERS[Mime::YAML] = :yaml request.request_parameters could be populated. -
@homakov however, any Hash that is fetched from params will be coerced into ActiveSupport::HashWithIndifferentAccess and Symbols -> Strings. -
@homakov also I seem to remember@tenderlove making a commit that used Strings over Symbols to prevent any memory DoS. -
@homakov I almost got a Struct instance (has a #[] method) through via YAML, but ActionDispatch::Parameters#parameters calls merge on it. -
@postmodern_mod3 your tweets are exactly my tweets yesterday. 1 yaml 2 yes, it's off by default 3 yaml inside xml 4 DDOS YEAH! -
@homakov I was hoping to exploit find_by_* methods, but doesn't look like ActionDispatch::Parameters will let me. -
@postmodern_mod3 IMHO this find_by_* exploit is impossible through params. Only authlogic case(from cookie) makes sense. -
@homakov@postmodern_mod3 Which is surprising because authlogic is pretty big, you would think somebody would have caught it before now. -
@envygeeks@postmodern_mod3 it STILL relies solely on session_secret. This CVE is very rare -
@homakov@postmodern_mod3 Well as demonstrated not too long ago, most programmers don't know what "secret" is if you watch Github last week. -
@envygeeks@postmodern_mod3 posted tweets about it 6 months ago, inurl:config/session_secret is also rare case. some devs are just idiots -
@envygeeks never understood why the session secret wasn't put into a YAML/txt file and gitignored.@homakov -
@postmodern_mod3@envygeeks dunno lol.@dhh ? -
@postmodern_mod3@envygeeks@homakov it is convenient to check it in if you have a closed source app -
@charliesome@envygeeks@homakov you should keep credentials out of version-control, in case it gets compromised. I symlink database.yml in -
@postmodern_mod3@homakov That's actually what I do on my client sites, I always create a app.yml and load it and .gitignore for security.
Jordon Bedwell
Charlie Somerville