Use Psych.safe_load by default

[tenderlove]

Psych.load is not safe for use with untrusted data. Too many
applications make the mistake of using Psych.load with untrusted data
and that ends up with some kind of security vulnerability.

This commit changes the default Psych.load to use safe_load. Users
that want to parse trusted data can use Psych.unsafe_load.

Psych.load or YAML.load are susceptible to a Remote Code Execution (or RCE) flaw. The problem isn't with the load functions themselves, but they can be used to abuse other objects that are in the system to escalate to an RCE. This blog post goes in to details about how YAML can be used in conjunction with RubyGems to execute arbitrary code. If someone tries to load YAML from an untrusted source, bad actors could use this issue to execute arbitrary code in the target system.

Psych provides a method called "safe_load" which can't be used to launch such an attack. The proposal here is to change the default such that "load" is now "safe_load". Of course the drawback is that "safe_load" is much more limited than "load", and making this change could break existing code.

Also it's probably worth mentioning that the YAML load functions could be used with other objects in the system besides RubyGems to escalate to an RCE. Also worth mentioning that anything that can be used to load arbitrary objects (like Marshal.load) can be abused in the same way. So neither changing RubyGems nor changing to a different serialization scheme (like Marshal) would plug this hole.

[tenderlove]

For context, Psych.safe_load is more close to JSON loading. It doesn't support Symbols, Dates, Objects, references, etc. The only things it supports by default are:

• TrueClass
• FalseClass
• NilClass
• Numeric
• String
• Array
• Hash

[stevecrozz]

I support this change, but what do you plan to do with the version number? Feels like a major change.

[tenderlove]

I support this change, but what do you plan to do with the version number? Feels like a major change.

Yes, definitely major version change.

[SamSaffron]

I am extremely supportive of switching to safe by default, even going through a full rename dance here.

deprecate safe_load in favor of load
introduce unsafe_load

lol ... I just read the PR looks like you are very close already, only change I recommend adding is deprecating safe_load

[tenderlove]

lol ... I just read the PR looks like you are very close already, only change I recommend adding is deprecating safe_load

I've made load slightly different from safe_load. load allows all Symbols where safe_load doesn't. I'm not sure if it's a good idea or not. It's still possible for some symbols to never be garbage collected, but they have to go through a C extension that makes them that way. However, I suspect many (most?) people use symbols in their YAML and this would trip them up. It seems like a very rare issue, so maybe allowing symbols is "safe enough"? cc @evanphx

[SamSaffron]

It seems like a very rare issue, so maybe allowing symbols is "safe enough"?

Yeah sounds like at worst this is allowing some cascade of components to cause memory bloat. Enormously better place to be than RCE friendly by default.

I guess people like this kind of stuff and tend to use it?

---
:a: 1

One concern is that the "load" then is less cross compatible with other frameworks. :a: 1 in golang/js/rust will be treated as the string :a. Maybe load(str, allow_symbols: true) and disable by default? Not sure. Would be a far bigger breaking change.

[tenderlove]

One concern is that the "load" then is less cross compatible with other frameworks. 🅰️ 1 in golang/js/rust will be treated as the string :a.

That's true, but it's already the current behavior. For example:

YAML.load(<<-eostr)
---
:a: 1
eostr

The above code will result in the same data structure before and after this PR is merged. Allowing symbols is a compromise for compatibility / non-surprising behavior (as it's what people expect today). Also, interlanguage compatibility hasn't really been a priority for the library.

I'm leaning towards allowing symbols for YAML.load (but not YAML.safe_load) as I think that will give the best "backwards compatibility plus safety" bang for our buck.

[tenderlove]

hashie/hashie#473

[k0kubun]

+1 for the interface change.

How about releasing unsafe_* variants alone first though? Being able to explicitly rewrite load to safe_load or unsafe_load (where unsafe_ is really necessary) before switching the behavior of load would be useful to minimize the impact of breaking changes by the upgrade.

[tenderlove]

How about releasing unsafe_* variants alone first though? Being able to explicitly rewrite load to safe_load or unsafe_load (where unsafe_ is really necessary) before switching the behavior of load would be useful to minimize the impact of breaking changes by the upgrade.

Yes, that is a great idea. I will do it!

[tenderlove]

I shipped this in v4.0.0. Thanks!

[lzap]

Friday, our CI is red. Only if there was a better week day to push big releases out, hmmm 🤔

Well, a mistake in our Gemfile, we will fix it, and the code. Thank you for taking care of safety of all of us! Cheese, I mean, cheers! :-)