Vulnerability in JSON Parser in Ruby on Rails 3.0 and 2.3

If everyone is really going to take the route of "My X Framework is fine b/c nothing's been reported" then I'd like to contribute these links showing vulnerability break downs...<p>* Rails: <a href="http://www.cvedetails.com/product/22568/Rubyonrails-Ruby-On-Rails.html?vendor_id=12043" rel="nofollow">http://www.cvedetails.com/product/22568/Rubyonrails-Ruby-On-...</a><p>* Django: <a href="http://www.cvedetails.com/product/18211/Djangoproject-Django.html?vendor_id=10199" rel="nofollow">http://www.cvedetails.com/product/18211/Djangoproject-Django...</a><p>* CodeIgniter: <a href="http://www.cvedetails.com/product/11625/Codeigniter-Codeigniter.html?vendor_id=6918" rel="nofollow">http://www.cvedetails.com/product/11625/Codeigniter-Codeigni...</a><p>* Top 50 Products (Better stop using these too! /s): <a href="http://www.cvedetails.com/top-50-products.php" rel="nofollow">http://www.cvedetails.com/top-50-products.php</a>

Would it ever be possible to have a self-updating framework?<p>As in, I use Rails to develop web applications. In the past months, I've had to painstakingly go back to every single app I've ever worked on, and manually update it in whatever minor way it needed updating. Now, I'm going to do that again.<p>If you consider that I'm going to continue to build Rails applications, the number of apps I will have to update every time a security vulnerability comes out will be larger and larger. For a framework that prides itself on sane defaults, it doesn't seem quite sane to have to worry about taking down, updating, and then relaunching every app you ever had when one of these vulnerabilities come out.<p>I don't mean updating a Rails 2.3 app to 3.2 automatically, just applying these security patches automatically, or prompting the user to do so. Our operating systems do it, our IDEs do it, our programs do it, why can't a framework? I'm not saying it would be easy, but I'm sick of having to be subscribed to these email groups just to start the manual process of fixing everything.

I have remote code execution working when YAML syck parser is being used. I've also got RCE working when psych is used (default in 1.9.x) using a similar trick to syck.

Great news. It's good that all of these bugs have been surfacing lately.

Proof-of-Concept exploit: <a href="https://gist.github.com/4660248" rel="nofollow">https://gist.github.com/4660248</a>

it appears that some versions of rails parsed JSON by first converting it to YAML then performing YAML.load<p>I think they wanted a json parser but they didn't want to write one. So they basically just wrote:<p><pre><code> YAML.load(json.gsub(/awesomeregex/, "awesomereplace"))</code></pre>

Damnit, I'm busy fixing the devise issue!

If I've disabled the JSON MIME type as input, a la the workaround to the XML issue a couple of weeks ago, am I safe against this vulnerability?

Hooray for 3.1 and 3.2 apps.

The only meaningful take-away from these continued security vulnerabilities is you shouldn't ever let a rails project you maintain ossify to the extent that you can't easily/safely run "bundle update", commit, and deploy.<p>(Didn't expect to post this comment twice today, JFC)

Can someone explain the security issue in more detail? Is it that I can supply Symbols (and other Ruby objects) in my YAML, which normally can't be included in JSON? That seems to be the basis of it, but I'm looking for more info if available.

Null terminated strings are simple to understand and convenient to work with...until they can be exploited.<p>Non-bounds-checked arrays are fast and convenient to work with...until they can be exploited.<p>Database queries using interpolated strings are flexible and convenient to work with...until they can be exploited.<p>Serialization formats that can encode arbitrary objects are useful and convenient to work with...until they can be exploited.<p>...and the collective wisdom of the programming world continues its relentless, gradual, monotonic increase.

There's been a lot of rails bugs coming up lately, why are so many being found at this particular point in time? Who's finding them and what's spurred their interest?

Quick &#38; dirty find (for Rails apps 3.0.x)<p><pre><code> find ~/rails -name 'Gemfile' -exec grep -E "rails', '3.0" {} \; -print</code></pre>

Hmm, I'm curious of the story behind this vulnerabilty NOT existing in 3.1 and 3.2. How the heck did it get fixed in 3.1 and 3.2, but still exist in 3.0 and 2.3? It was accidentally fixed in 3.1? It was on purpose fixed in 3.1, but it didn't occur to the fixer to backport to 3.0 and 2.3? Eh?

I wonder if it's worth someone putting together a kickstarter so that all of these rails dependant startups can crowd finance hiring some penetration test firms to do a thorough audit of the entire rails codebase?

So who is hosting the rails security update party this time?<p>Is there some magic command I am missing to update all rails projects I've ever worked on automatically?<p>"gem super-update-everything"

Here's the fix: <a href="https://github.com/rails/rails/pull/8853/files#L1L35" rel="nofollow">https://github.com/rails/rails/pull/8853/files#L1L35</a><p>Happy hacking!

This doesn't actually affect rails 3.1+<p>Awesome.

Why is it only Rails issues seem to be so popular on HN?<p>Is it the lovers wanting to spread the word for their rails colleagues using it.<p>Or is it the haters enjoying the schadenfreude.<p>No other framework seems to get as much publicity on HN whenever something goes wrong.

The smell of late night coffee, having to update Ruby on Fails yet again, or better, the colder more bitter coffee in the morning, when having to offline and rebuild a compromised server due to this framework.<p>It started with such promise, and now, we are looking to migrate all Rails apps off to alternative frameworks at the first opportunity. It really is a shame.