Brakeman

Ruby on Rails Static Analysis Security Tool

Remote Code Execution in YAML.Load

As seen in CVE-2013-0156, calling YAML.load with user input can lead to remote execution of arbitrary code. (To see a real point-and-fire exploit, see the Metasploit payload). While upgrading Rails, disabling XML parsing, or disabling YAML types in XML request parsing will fix the Rails vulnerability, manually passing user input to YAML.load remains unsafe.

For example:

#Do not do this!
YAML.load(params[:file])

Back to Warning Types