YAML Security

As you’re probably aware, the recent serious vulnerability in the Ruby on Rails framework was caused by the way loading YAML works in Ruby.

As Locale both loads your YAML files and sends content which you then load into your application via YAML this affects us more than most Rails applications.

On learning of the vulnerability we immediately applied the patch so that we wouldn’t be affected by the Rails bug.

We then checked the content in the database for any potentially insecure YAML and thankfully found none.

The next step was to audit the code everywhere we accept YAML input and ensure that potentially insecure content is never loaded by Ruby.

This was all implemented and deployed before the first exploits became widely available and we’ll continue to monitor the content we receive to make sure there are no problems.

We’ve updated the localeapp gem so that it won’t load anything that looks suspicious. This has been released as the 0.6.9 version which you should update to as soon as you can.

This entry was posted in LocaleApp. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *