diff --git a/.rspec b/.rspec index 49f7547503..7eb1831685 100644 --- a/.rspec +++ b/.rspec @@ -1,4 +1,2 @@ --color ---fail-fast ---order random --profile diff --git a/README.md b/README.md index 0b7b9b19db..450c38ee51 100644 --- a/README.md +++ b/README.md @@ -30,24 +30,20 @@ Hoeven][plukevdh], and [Rein Henrichs][reinh]. ## Announcements -RailsAdmin model configuration is now lazy loaded. +### [Action required] Security issue -```ruby -config.model 'Team' do - ... -end - -# or -class Team - rails_admin do - ... - end -end -``` +`RailsAdmin::Config::Fields::Types::Serialized#parse_input` was unsafe, because it was using the infamous `YAML#load`. + +To fix this, RailsAdmin now uses [safe_yaml](https://github.com/dtao/safe_yaml), with `enable_arbitrary_object_deserialization` and `suppress_warnings` on, for maximum compatibity with all existing apps. + +If you want to load safely YAML in your own app, you can use `YAML.load(something, safe: true)` + +If you use Serialized with RailsAdmin with non-totally-trusted users, your server is at risk. Update your gem to `> 0.4.3` (should be released any time soon) or to a [patched commit]() + +Rails3.0 and other branches may be at risk too, I strongly suggest to not use those any more. -won't load the Team model. +More information about the whole drama [here](https://github.com/tenderlove/psych/issues/119). -Incidentally, you are only allowed one configuration block per model. ## Features diff --git a/lib/rails_admin/config/fields/types/serialized.rb b/lib/rails_admin/config/fields/types/serialized.rb index 7c83307978..4186c89783 100644 --- a/lib/rails_admin/config/fields/types/serialized.rb +++ b/lib/rails_admin/config/fields/types/serialized.rb @@ -13,7 +13,7 @@ class Serialized < RailsAdmin::Config::Fields::Types::Text end def parse_input(params) - params[name] = (params[name].blank? ? nil : YAML.load(params[name])) if params[name].is_a?(::String) + params[name] = (params[name].blank? ? nil : YAML.load(params[name], :safe => true)) if params[name].is_a?(::String) end end end diff --git a/lib/rails_admin/engine.rb b/lib/rails_admin/engine.rb index a6f8398cec..0874b4b7d3 100644 --- a/lib/rails_admin/engine.rb +++ b/lib/rails_admin/engine.rb @@ -9,6 +9,10 @@ require 'nested_form' require 'rails_admin' +require 'safe_yaml' +YAML.enable_arbitrary_object_deserialization! +SafeYAML::OPTIONS[:suppress_warnings] = true + module RailsAdmin class Engine < Rails::Engine isolate_namespace RailsAdmin diff --git a/rails_admin.gemspec b/rails_admin.gemspec index 7e7f75b760..76509e0007 100644 --- a/rails_admin.gemspec +++ b/rails_admin.gemspec @@ -3,19 +3,20 @@ require File.expand_path('../lib/rails_admin/version', __FILE__) Gem::Specification.new do |spec| # If you add a dependency, please maintain alphabetical order - spec.add_dependency 'nested_form', '~> 0.3' - spec.add_dependency 'sass-rails', '~> 3.1' spec.add_dependency 'bootstrap-sass', '~> 2.2' - spec.add_dependency 'font-awesome-sass-rails', ['~> 3.0', '>= 3.0.0.1'] - spec.add_dependency 'jquery-ui-rails', '~> 3.0' spec.add_dependency 'builder', '~> 3.0' spec.add_dependency 'coffee-rails', '~> 3.1' + spec.add_dependency 'font-awesome-sass-rails', ['~> 3.0', '>= 3.0.0.1'] spec.add_dependency 'haml', '~> 3.1' spec.add_dependency 'jquery-rails', '~> 2.1' + spec.add_dependency 'jquery-ui-rails', '~> 3.0' spec.add_dependency 'kaminari', '~> 0.14' + spec.add_dependency 'nested_form', '~> 0.3' spec.add_dependency 'rack-pjax', '~> 0.6' spec.add_dependency 'rails', '~> 3.1' spec.add_dependency 'remotipart', '~> 1.0' + spec.add_dependency 'safe_yaml', '~> 0.6' + spec.add_dependency 'sass-rails', '~> 3.1' spec.authors = ["Erik Michaels-Ober", "Bogdan Gaza", "Petteri Kaapa", "Benoit Benezech"] spec.description = %q{RailsAdmin is a Rails engine that provides an easy-to-use interface for managing your data.} spec.email = ['sferik@gmail.com', 'bogdan@cadmio.org', 'petteri.kaapa@gmail.com']