Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix unsafe binary to term #69

Closed
wants to merge 5 commits into from
Closed

Fix unsafe binary to term #69

wants to merge 5 commits into from

Conversation

waltfy
Copy link
Contributor

@waltfy waltfy commented Aug 17, 2020
edited
Loading

This change fixes a Remote Code Execution vulnerability, which was detected by @p-.. Instead of using the potentially unsafe :erlang.binary_to_term/2, we instead use Plug.Crypto.non_executable_binary_to_term/2 — this is effectively a drop in replacement that throws an exception when it detects unsafe terms, preventing its execution.

TODO:

  • Release version 0.6.1
    • Update CHANGELOG.md
  • Create a Security Advisory for paginator
    • See guide on how to create the security advisory here
  • Release patches for the previous versions of paginator

@waltfy waltfy self-assigned this Aug 17, 2020
@waltfy waltfy force-pushed the waltfy/fix-unsafe-binary-to-term branch from 83aec31 to b1a7e9d Compare August 17, 2020 17:11
@waltfy waltfy added the bug label Aug 17, 2020
Add regression test
572675f 
In this commit we introduce a test that ensures that an error is thrown
and that we do not execute the Remote Code Execution (RCE) function.
@waltfy waltfy force-pushed the waltfy/fix-unsafe-binary-to-term branch from b1a7e9d to 0dcd533 Compare August 17, 2020 17:18
Walter Carvalho added 4 commits August 17, 2020 18:28
Add Plug.Crypto
24237ba 
Plug.Crypto contains a function non_executable_binary_to_term/2, which
raises if it detects an executable term such as an anonnymous function.

We will use this to prevent remote code execution.
Use Plug.Crypto.non_executable_binary_to_term/2
b4945c6 
Instead of using :erlang.binary_to_term we'll use
Plug.Crypto.non_executable_binary_to_term/2 which only deserializes
non-executable terms.
Update README.md to include warning about RCE
f2a3635
Update elixir and OTP versions
e38524a
@waltfy waltfy force-pushed the waltfy/fix-unsafe-binary-to-term branch from 0dcd533 to e38524a Compare August 17, 2020 17:31
@waltfy waltfy closed this Aug 17, 2020
@waltfy waltfy deleted the waltfy/fix-unsafe-binary-to-term branch August 17, 2020 17:33
maartenvanvliet added a commit to maartenvanvliet/quarto that referenced this pull request Nov 25, 2020
@maartenvanvliet
Ensure raise on malicious payload
ed11b0a 
See also:
duffelhq/paginator#69
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgerrand sgerrand Awaiting requested review from sgerrand

@stevedomin stevedomin Awaiting requested review from stevedomin

@nlopes nlopes Awaiting requested review from nlopes

Assignees

@waltfy waltfy

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@waltfy