Eric Rafaloff

My personal blog on software development and security

Home » Category: Programming

From YAML Deserialization to RCE in Ruby on Rails Applications

It’s not uncommon for me to find unsafe YAML deserialization while reviewing Ruby on Rails applications. For those who aren’t familiar with the dangers of arbitrary YAML deserialization, the short of it is that deserializing YAML can lead to code execution. This is possible because YAML deserialization allocates a new Ruby object without initializing it, Continue Reading

Introducing the Solidity Function Profiler

Static analyzers are good at detecting certain types of security vulnerabilities. However, one place that static analysis often falls short is in the detection of authorization bugs. This is because authorization tends to be a “business logic” problem. How would an analyzer know what functionality should be off-limits to normal users? One can infer based Continue Reading

An Analysis of CVE-2017-5638

I just published some research I did with Gotham Digital Science on the recent Struts vulnerability, CVE-2017-5638. You can find that (rather long) post here, full of in-depth code review and an additional, lesser known attack vector: An Analysis of CVE-2017-5638

Regex Security Issues in Ruby

I see this kind of problem everywhere in the Ruby ecosystem, despite it being an old one. Consider the regular expression /^https?:\/\/[\S]+$/: So far so good. However, consider this: This matches our regex because /^ matches the beginning of a line and $/ matches the end of one. This poses a very common misunderstanding of Continue Reading

Feature Flags with Rollout

Role-based authorization is a common requirement in modern web applications. In the Rails ecosystem, there are several great open source libraries that provide this (see devise’s roles, cancan, and rolify). Feature flagging is a little bit different than roles. Features can be flipped on and off regardless of a users’ state. This means that if we Continue Reading