Actually YAML doesn't eval at all. The injection vector was YAML loading an arbitrary ruby type which evals a string property.
I imagine loading a StructedThingy that eval'd one of its properties when constructed in Haskell would also yield the same vector. The only design flaw was in allowing YAML user input, parsing it in a way that allowed materialising arbitrary types. On Saturday, February 9, 2013 1:24:36 PM UTC+11, Mark Wotton wrote: > > On Sat, Feb 9, 2013 at 1:12 PM, Nicholas Jefferson > <[email protected] <javascript:>> wrote: > >> The point of what I wrote is that you cannot run arbitrary code, > >> because the type system forbids it. > > > > > > I can see how you could think that. You are wrong, however. > > > > Haskell can run arbitrary code [1], because the type system does not > forbid > > it. > > > > [1] > > > http://hackage.haskell.org/packages/archive/plugins/1.5.1.3/doc/html/System-Eval-Haskell.html > > > Let us examine this type: > > eval :: Typeable a => String -> [Import] -> IO (Maybe a) > > now, if you were to call eval on an arbitrary string, you would indeed > be running that code. > > HOWEVER > > in the context I mentioned, our putative parser had type > > parseThingy :: String -> Maybe StructuredThingy > > parseThingy _cannot_ call eval, because eval has a type that ends with > IO (Maybe a). This is globally proven, unless you explicitly turn off > SafeHaskell, import System.IO.Unsafe, and deliberately call > unsafePerformIO, which in Haskell terms is the equivalent of Bruce > Willis's sandwich board scene in Die Hard With a Vengeance. This has > to be in library or app code, too: the attacker doesn't get to dictate > this. > > What I hope I have shown here is that the ability to constrain > yourself locally is powerful, useful, and pretty much absent in Ruby. > > cheers > mark > > -- > A UNIX signature isn't a return address, it's the ASCII equivalent of a > black velvet clown painting. It's a rectangle of carets surrounding a > quote from a literary giant of weeniedom like Heinlein or Dr. Who. > -- Chris Maeda > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
