File: safe_yaml

package info (click to toggle)
ruby-safe-yaml 1.0.5-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 356 kB
  • sloc: ruby: 2,060; sh: 30; makefile: 8
file content (73 lines) | stat: -rwxr-xr-x 2,014 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#!/usr/bin/env ruby

require 'optparse'
require 'safe_yaml/load'

options = {}
option_parser = OptionParser.new do |opts|
  opts.banner = "Usage: safe_yaml [options]"

  opts.on("-f", "--file=<path>", "Parse the given YAML file, dump the result to STDOUT") do |file|
    options[:file] = file
  end

  opts.on("--libyaml-check", "Check for libyaml vulnerability CVE-2014-2525 on your system") do
    options[:libyaml_check] = true
  end
end

option_parser.parse!

def report_libyaml_ok
  puts "\e[32mGood news! You definitely have either a patched or up-to-date libyaml version :)\e[39m"
end

def check_for_overflow_bug
  YAML.load("--- !#{' ' * 100}")
  report_libyaml_ok
end

def perform_libyaml_check(force=false)
  unless SafeYAML::LibyamlChecker.libyaml_version_ok?
    warn <<-EOM.gsub(/^  /, '  ')

      \e[33mSafeYAML Warning\e[39m
      \e[33m----------------\e[39m

      \e[31mYou may have an outdated version of libyaml (#{SafeYAML::LibyamlChecker::LIBYAML_VERSION}) installed on your system.\e[39m

      Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.

      For more info, see:
      https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
    EOM
  end

  puts <<-EOM.gsub(/^  /, '  ')

    Hit Enter to check if your version of libyaml is vulnerable. This will run a test \e[31mwhich may crash\e[39m
    \e[31mthe current process\e[39m. If it does, your system is vulnerable and you should do something about it.

    Type "nm" and hit Enter if you don't want to run the check.

    See the project wiki for more info:

    https://github.com/dtao/safe_yaml/wiki/The-libyaml-vulnerability
  EOM

  if STDIN.readline.chomp("\n") != 'nm'
    check_for_overflow_bug
  end
end

if options[:libyaml_check]
  perform_libyaml_check(options[:force_libyaml_check])

elsif options[:file]
  yaml = File.read(options[:file])
  result = SafeYAML.load(yaml)
  puts result.inspect

else
  puts option_parser.help
end