You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allowing client-set query params to choose the name of the ruby class that will get loaded and have methods called on it?
Is this wise, security-wise? It potentially allows loading any class at all that's in your load path, and then having riiif call the methods it's going to call on it. In most cases, that'll be a NoMethodError. But it reminds me of the YAML vulnerability from allowing arbitrary non-trusted-user-specified classes to be instatiated and then have methods called on them. It seems like a bad idea.
I understand the hypothetical use case for a configurable model class (although if it's never been used by anyone and is only hypothetical, it may not be neccesary either). I do not understand the use case for client-specified arbitrary model class.
The text was updated successfully, but these errors were encountered:
Is this line: https://github.com/curationexperts/riiif/blob/master/app/controllers/riiif/images_controller.rb#L69-L71
Allowing client-set query params to choose the name of the ruby class that will get loaded and have methods called on it?
Is this wise, security-wise? It potentially allows loading any class at all that's in your load path, and then having riiif call the methods it's going to call on it. In most cases, that'll be a NoMethodError. But it reminds me of the YAML vulnerability from allowing arbitrary non-trusted-user-specified classes to be instatiated and then have methods called on them. It seems like a bad idea.
I understand the hypothetical use case for a configurable model class (although if it's never been used by anyone and is only hypothetical, it may not be neccesary either). I do not understand the use case for client-specified arbitrary model class.
The text was updated successfully, but these errors were encountered: