Ruby Regular Expressions – Security Risk
This post is a half reminder to elaborate when I have free time... But in short, there is nothing wrong with Ruby regular expressions, except that they behave differently than one might expect (in general and if coming from Perl RegEx).
Here is the dealy, from the Programming Ruby book by Dave Thomas:
The patterns ^ and $ match the beginning and end of a line, respectively. These are often
used to anchor a pattern match: for example, /^option/ matches the word option only if it
appears at the start of a line. The sequence \A matches the beginning of a string, and \z and
\Z match the end of a string.
All sounds good right? Well, it turns out that Ruby will execute code within a regular expression if you can pass multi-line input to the parser. For example... Given
class EmailAttachment < ActiveRecord::Base validates_format_of :attachment, :with => /^[\w\.\-\+]+$/ end
You can easily pass in
attachment.txt%0A<script>alert('open_sesame')</script>which is converted (as %0A is a URL encoded new line), by ROR, into
"attachment.txt\n<script>alert('open_sesame')</script>"You can think about the implications of this, feel free... I have been able to have some fun with my own personal site and getting arbitrary JavaScript and (worse) shell commands to execute. Also, I believe this may cause a larger security whole within routes for Rails (at least 2.1.0). I'll investigate this more later, as the beginning of this post says.
Ephekt/Mike Rose/Smasher5
- commit "clean up and simplify substring function" on "code4fun" http://t.co/C4rIDWjO
- #anybeat gets acquired (silently)... 2 weeks to clear out. https://t.co/4FdvTxVM
- Just testing my broadcasting system. Mind the gap.
- Coders: Got an OkCupid account? Wrote a Sinatra app to turn the browsing experience into a visually pleasing one git: http://t.co/VSp2foxg
- Slickity. You can now follow some of my bo.lt's over at http://t.co/923A6OD1 not too shabby, @getbolt
- Why does Hyundai own the domain readwith.us? I needed that one to add to my collection. Back to the drawing boards. :\
- Real-time numerical graphing with Graphite... http://t.co/JbNZ2CN2 damn this thing looks cool.
- @dtran320 best fix i've seen in a while. well done, sir. way to keep 'em honest.
- The social web works. @getbolt thank for the invite(s). I'm in. I'm bo.lt'in
- @getbolt I really hope you'll get my account rolling soon. I need to save some pages and share them. mfrosengarten@gmail.com plz plz plz
Sections
- Benchmark (2)
- Blog Updates (1)
- Code (25)
- CSS (1)
- Designs (3)
- email (3)
- Entrepreneurship (1)
- Hardware (3)
- Information (23)
- JavaScript (3)
- Jokes and Stuff (3)
- Learning (4)
- Mac OSX (2)
- PHP (3)
- Redis (1)
- Resque (1)
- Ruby (7)
- Ruby on Rails (16)
- Software (14)
Archives
- April 2012 (2)
- March 2012 (1)
- February 2012 (1)
- January 2012 (2)
- November 2011 (1)
- October 2011 (1)
- August 2011 (5)
- July 2011 (4)
- June 2011 (1)
- May 2011 (2)
- March 2011 (1)
- February 2011 (1)
- January 2011 (3)
- December 2010 (1)
- October 2010 (3)
- September 2010 (1)
- July 2010 (1)
- April 2010 (1)
- February 2010 (1)
- September 2009 (1)
- August 2009 (4)
- July 2009 (2)
- March 2009 (1)
- February 2009 (2)
- November 2008 (1)
- October 2008 (1)
- September 2007 (4)