Given the current Rails security alerts going around, I’m looking at securing applications for a few apps. Most of them barely make use of the XML/JSON parsing and when they do it’s to integrate specific pages or hooks with a 3rd party service.
I’ve seen the ability to delete default parsers to turn the functionality off completely, but is there a way to enable it / whitelist it on specific routes that may be protected by http basic auth or some other means? That would at least require somebody attempting to exploit these types of vulnerabilities to know the specific locations where it’s enabled.
The primary risk of the current XML/YAML parse vulnerability has to do with the callbacks that give you richer re-serialization for objects. So one possible way to do this is to just use the lower level APIs that give you parse trees for the XML/YAML, but don’t do any hydration beyond Ruby scalars (strings, numbers, hashes, etc). If that doesn’t work for you, using a parser like Yajl or, in many cases, just upgrading to the latest versions of the gems, is sufficient to allow parsing to remain on.
Also, the primary risk of the parsing is in the parameter parsing, not response parsing. Response parsing (especially if you can trust the service, and communicate via a secure channel), is a much lower risk since you can control when and where it happens.