Hacker News new | past | comments | ask | show | jobs | submit login

I've actually never developed anything serious in Rails. I just don't like the framework, and the performance of Rails leaves a lot to be desired in my opinion. I'm a 100% Node.js convert these days.

But I do like the Rails convention of using YAML format and have adopted that in my own code as much as possible.




I think he's referring to the rails YAML exploit [0] because you can use yaml to create objects, like this:

    --- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection
     'foo; eval(eval(puts '=== hello there'.inspect);': !ruby/object:OpenStruct
       table:
        :defaults: {}
Allowing people to run arbitrary code on rails servers.

[0] http://rubysource.com/anatomy-of-an-exploit-an-in-depth-look...


Yeah, I had read about that. One more reason not to send YAML over the wire. YAML makes great sense for your internal configuration files and internal data structures where you need comments and readability. YAML is perfectly safe here because chances are you aren't going to be exploiting yourself by putting malicious objects in your YAML.

But for over the wire communication, JSON makes more sense than YAML, not only because parsing unsafe YAML from an untrusted client could cause exploits like you mentioned, but also because YAML is dependent on indentation and line breaks, and therefore makes communication with the client side much more awkward than just sending JSON to the client or receiving JSON from it.


I believe the parent was referring the many recent YAML based vulnerabilities found in Rails (and elsewhere). He is basically saying, "You can use YAML -- if you don't care about injection vulnerabilities."




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: