![]() If you add SafeYAML to your project and start seeing any errors about missing keys, or you notice mysterious strings that look like ":foo" (i.e., start with a colon), it's likely you're seeing errors from symbols being saved in YAML format. The easiest way to whitelist types is by calling SafeYAML.whitelist!, which can accept a variable number of safe types, e.g.: This is handy when your application uses YAML to serialize and deserialize certain types not listed above, which you know to be free of any deserialization-related vulnerabilities. ![]() SafeYAML supports whitelisting certain YAML tags for trusted types. More specifically, only the following types of objects can be deserialized by default:Īgain, deserialization of symbols can be enabled globally by setting SafeYAML::OPTIONS = true, or in a specific call to YAML.load(, :deserialize_symbols => true). The way that SafeYAML works is by restricting the kinds of objects that can be deserialized via YAML.load. This way, you can use SafeYAML.load to parse YAML that you don't trust, without affecting the rest of an application (if you're developing a library, for example). Require "safe_yaml/load" # instead of require "safe_yaml" What if I don't want to patch YAML?Įxcellent question! You can also get the methods SafeYAML.load and SafeYAML.load_file without touching the YAML module at all like this: You can also set each one individually per call to YAML.load an option explicitly passed to load will take precedence over an option specified globally. ![]() This may be a good choice if you expect to always be dealing with perfectly safe YAML and want your application to fail loudly upon encountering questionable data.Īll of the above options can be set at the global level via SafeYAML::OPTIONS. If the YAML engine encounters any tag other than ones that are automatically trusted by SafeYAML or that you've explicitly whitelisted, it will raise an exception. :raise_on_unknown_tag (default: false): Represents the highest possible level of paranoia. Accepts a hash with string tags for keys and lambdas for values. :custom_initializers: Similar to the :whitelisted_tags option, but allows you to provide your own initializers for specified tags rather than using Syck or Psyck. See the "Whitelisting Trusted Types" section below for more information. When any of the given tags are encountered in a YAML document, the associated data will be parsed by the underlying YAML engine (Syck or Psych) for the version of Ruby you are using. :whitelisted_tags: Accepts an array of YAML tags that designate trusted types, e.g., ones that can be deserialized without worrying about any resulting security vulnerabilities. Symbols receive special treatment in Ruby and are not garbage collected, which means deserializing them indiscriminately may render your site vulnerable to a DOS attack. It is probably best to only enable this option where necessary, e.g. :deserialize_symbols (default: false): Controls whether or not YAML will deserialize symbols. The other options, along with explanations, are as follows. The most important option is the :safe option (default: true), which controls whether or not to deserialize arbitrary objects when parsing a YAML document.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |