Rails and the Ruby community had their fair share of security vulnerabilities in the recent days. Where does that leave Padrino users?
In short: You are safe, unless you explicitely activated some form of parameter parsing that either parses YAML directly or uses XmlMini when accepting requests or parsing responses from backend sources.
Currently, some security issues plagued the Rails community. The most dangerous is CVE-156 , which is present in almost all Rails installations. Default Sinatra and Padrino are unaffected, see this discussion on the Sinatra mailing list for details. All hints given there are true for Padrino users as well.
If you are using any of the Rails components in question either directly or through dependencies, you should upgrade them. The most important components in question are YAML (both Psych and Syck) or XmlMini. Popular projects using them are Rack::Parser (fixed) and Rack::PostBodyToParams. If you use the first: run
bundle upgrade and make sure you get version
0.2.0 and higher! Update: The same goes for rack-post-body-params (see the comments).
The safe_yaml README explains it very well. Basically,
YAML.load allows you to instantiate arbitary objects, which is the first step to running arbitrary code. Any code path leading to a
YAML.load of untrusted (read: external) data is a potential vulnerability. This includes consuming data accepted from web services or parsing Gemspecs.
To validate that you are safe, take the following steps:
While nothing of “upgrade now!”-severity, the soon to be released Padrino 0.11 contains a few important security additions, especially XSS-safe rendering using
ActiveSupport::SafeBuffer. Test you application against the current master so that you can upgrade when it is released.
Finally, I’d like to say thank you to all Rails contributors working on fixing the found bugs and the Rubygems team for fixing Rubygems.org as fast as they did. Also a big thank you to everyone that found those vulnerabilities.