SUSE Hackweek Day 3 - (Not) Loading Objects in YAML::PP
Here's what I did on Thursday of the SUSE Hackweek.
Previous posts:
Perl Objects in YAML::Syck, YAML::XS and YAML.pm
Hopefully you know that loading untrusted YAML can be exploited when the feature of loading objects is enabled.
YAML::Syck has had
$YAML::Syck::LoadBlessed
for many years.
YAML::XS has $YAML::XS::LoadBlessed
since
v0.69 (2017), and YAML.pm has
$YAML::LoadBlessed
since v1.25 (2018).
They all default to true for backwards compatibility. However, we have been discussing that it would be good to change the default to false for security. We are not sure yet, when this will happen.
If you are using one of these modules and need the feature of loading objects, it's a good idea to set this option to true now!
YAML::PP
By default, YAML::PP doesn't load any perl types or objects. It only supports scalars, arrays and hashes.
To load scalar references, references of references, regular expressions and objects, you need to add the Perl Schema:
my $yp = YAML::PP->new( schema => [qw/ JSON Perl /] );
To enable also loading code refs:
my $yp = YAML::PP->new( schema => [qw/ JSON Perl +loadcode /] );
But sometimes you might want to load special perl types and only certain classes.
I added an option now that lets you do that. For that you have to instantiate the Perl Schema first:
my $perl = YAML::PP::Schema::Perl->new(
classes => [qw/ My::Class1 My::Class2 /],
);
my $yp = YAML::PP->new( schema => ['JSON', $perl] );
If you also want to enable loading code refs, you do it like this:
my $perl = YAML::PP::Schema::Perl->new(
classes => [qw/ My::Class1 My::Class2 /],
loadcode => 1,
);
my $yp = YAML::PP->new( schema => ['JSON', $perl] );
If the Loader encounters tags with unknown classes like this:
--- !perl/hash:Class::Not::Allowed
a: b
It will load this as a simple hash reference and throw away the class.
The same happens when dumping. An object like
my $object = bless { a => 'b' }, 'Class::Not::Allowed';
will end up as a simple hash:
---
a: b
If you pass an empty array ref for classes
, it will not load any objects,
but still supports scalar/ref references and regular expressions.
Leave a comment