Rails and the Ruby community had their fair share of security vulnerabilities in the recent days. Where does that leave Padrino users?
In short: You are safe, unless you explicitely activated some form of parameter parsing that either parses YAML directly or uses XmlMini when accepting requests or parsing responses from backend sources.
Currently, some security issues plagued the Rails community. The most dangerous is CVE-156 , which is present in almost all Rails installations. Default Sinatra and Padrino are unaffected, see this discussion on the Sinatra mailing list for details. All hints given there are true for Padrino users as well.
If you are using any of the Rails components in question either directly or through dependencies, you should upgrade them. The most important components in question are YAML (both Psych and Syck) or XmlMini. Popular projects using them are Rack::Parser (fixed) and Rack::PostBodyToParams. If you use the first: run
bundle upgrade and make sure you get version
0.2.0 and higher! Update: The same goes for rack-post-body-params (see the comments).
What are those attacks about and how can I validate my stack?
The safe_yaml README explains it very well. Basically,
YAML.load allows you to instantiate arbitary objects, which is the first step to running arbitrary code. Any code path leading to a
YAML.load of untrusted (read: external) data is a potential vulnerability. This includes consuming data accepted from web services or parsing Gemspecs.
To validate that you are safe, take the following steps:
- Make a list of all libraries that you are using to accept data – Request parsers and webservice clients are the most popular ones. Padrino does not silently activate any of them, all have been added by yourself.
– Check if any of those use YAML.load somewhere (a simple
- Check what is loaded: local configuration data is fine, external data is not
- If you want to be on the safe side, see if you application runs well with safe_yaml
- Check if you or any of those libraries have any dependency to XmlMini – If yes, upgrade XmlMini to at least 0.5.2
Make your application ready for Padrino 0.11
While nothing of “upgrade now!”-severity, the soon to be released Padrino 0.11 contains a few important security additions, especially XSS-safe rendering using
ActiveSupport::SafeBuffer. Test you application against the current master so that you can upgrade when it is released.
A final word
Finally, I’d like to say thank you to all Rails contributors working on fixing the found bugs and the Rubygems team for fixing Rubygems.org as fast as they did. Also a big thank you to everyone that found those vulnerabilities.
One of our core Padrino members DAddYE has moved to San Francisco recently and has joined as a developer at Triggit. The Padrino core team has always been a very distributed team with each of us living in different places until recently.
Since Davide, Josh and I all live in the city now, we thought it would make sense to host our first meetup in San Francisco.
Triggit has graciously agreed to let us use their office for the meetup and some food for you.
Come join us on Thursday, January 24th at 6:30pm to learn more about our plans for Padrino in the coming year as we continue our long journey to 1.0.
We will talking about the coming Padrino 0.11 release and we want to share our plans for Padrino 1.0, which aims to be a big step forward for us since will be focused on multi-threading with a special focus on JRuby.
There are more cool things like full modularized templates, routes etc… stay tuned for more details.
We are excited about jump starting our development efforts again and would love everyone interested in Sinatra and Padrino to attend.
Please RSVP to the event so we can get a rough sense of the number of people attending. Look forward to seeing you guys there!