Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Catalyst>
  3. Dev
Security issue with Catalyst::Action::REST
ton.voon at opsera
Sep 1, 2010, 3:24 AM
Post #1 of 5 (2780 views)
Permalink
Hi!

I raised this on IRC a few days back. Basically, using
Data::Serializer through Catalyst::Action::Rest takes the input data
and evals it. However, there is no checking on the input data, which
means arbitrary code could be executed. I tested with putting a
"die()" as input and this gets run.

mst suggested using Data::Pond instead, but this didn't support undef
and also was erroring with some of my data structures. mst also
suggested not patching Data::Serializer as that would break other
applications.

Instead, I've patched Catalyst::Action::Deserialize::Data::Serializer
so that if the serializer is Data::Dumper, pass it through a Safe
compartment instead. This limits the input to JSON-like input in perl
style which I guess is the most you would use REST input as.

I'm guessing that all Catalyst::Action::REST instances have this issue
as the default map allows Data::Serializer to get invoked. The begin
action could get called before authentication routines, which means
that any cat app using this module is exposed.

Can you please confirm if this patch is a suitable one. Are there any
other holes left open?

Ton

Attached Files:

Re: Security issue with Catalyst::Action::REST [ In reply to ]
peter at peknet
Sep 1, 2010, 11:46 AM
Post #2 of 5 (2715 views)
Permalink
Ton Voon wrote on 09/01/2010 05:24 AM:

> Instead, I've patched Catalyst::Action::Deserialize::Data::Serializer so
> that if the serializer is Data::Dumper, pass it through a Safe
> compartment instead. This limits the input to JSON-like input in perl
> style which I guess is the most you would use REST input as.

What if the serializer is Data::Dump, et al.? I.e., is the special check
for Data::Dumper echoing some other, similar test in the module or in
Catalyst core?


--
Peter Karman . http://peknet.com/ . peter@peknet.com

_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.scsys.co.uk
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev
Re: Security issue with Catalyst::Action::REST [ In reply to ]
ton.voon at opsera
Sep 1, 2010, 1:51 PM
Post #3 of 5 (2715 views)
Permalink
On 1 Sep 2010, at 19:46, Peter Karman wrote:

> Ton Voon wrote on 09/01/2010 05:24 AM:
>
>> Instead, I've patched
>> Catalyst::Action::Deserialize::Data::Serializer so
>> that if the serializer is Data::Dumper, pass it through a Safe
>> compartment instead. This limits the input to JSON-like input in perl
>> style which I guess is the most you would use REST input as.
>
> What if the serializer is Data::Dump, et al.? I.e., is the special
> check
> for Data::Dumper echoing some other, similar test in the module or in
> Catalyst core?
>

I'm not sure what you mean.

Data::Serializer is a front end to other serializers: http://search.cpan.org/~neely/Data-Serializer-0.49/lib/Data/Serializer.pm

Data::Dump is not one of the serializers available, though I guess
that doesn't preclude it from being included in future.

Data::Denter looks like some YAML type format, Data::Taxi is based on
an XML like structure, FreezeThaw is some variable only structure,
PHP::Serialization is PHP strings, Storable doesn't include code,
XML::Dumper/XML::Simple are XML based and YAML is YAML

So I think Data::Dumper is the only serialization that could execute
other code based on blindly eval'ing input.

Ton
Re: Security issue with Catalyst::Action::REST [ In reply to ]
peter at peknet
Sep 1, 2010, 2:17 PM
Post #4 of 5 (2706 views)
Permalink
Ton Voon wrote on 09/01/2010 03:51 PM:

> So I think Data::Dumper is the only serialization that could execute
> other code based on blindly eval'ing input.

ok, I see what you mean. Thanks for clarifying.

--
Peter Karman . http://peknet.com/ . peter@peknet.com

_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.scsys.co.uk
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev
Re: Security issue with Catalyst::Action::REST [ In reply to ]
bobtfish at bobtfish
Sep 1, 2010, 2:54 PM
Post #5 of 5 (2715 views)
Permalink
On 1 Sep 2010, at 11:24, Ton Voon wrote:

> <catalyst_action_rest_safe_eval_data_dumper.patch>

Thanks, applied as ef81163, will be in a release shortly.

Cheers
t0m

_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.scsys.co.uk
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal