cloudsmith-api 0.53.3 → 0.53.17

data/vendor/bundle/ruby/2.6.0/gems/safe_yaml-1.0.5/spec/safe_yaml_spec.rb

@@ -1,731 +0,0 @@
-require "spec_helper"
-
-describe YAML do
-  def safe_load_round_trip(object, options={})
-    yaml = object.to_yaml
-    if SafeYAML::YAML_ENGINE == "psych"
-      YAML.safe_load(yaml, nil, options)
-    else
-      YAML.safe_load(yaml, options)
-    end
-  end
-
-  before :each do
-    # Need to require this here (as opposed to somewhere up higher in the file)
-    # to ensure that safe_yaml isn't loaded and therefore YAML isn't monkey-
-    # patched, for tests that require only safe_yaml/load.
-    require "safe_yaml"
-    require "exploitable_back_door"
-
-    SafeYAML.restore_defaults!
-  end
-
-  after :each do
-    SafeYAML.restore_defaults!
-  end
-
-  describe "unsafe_load" do
-    if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3"
-      it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do
-        backdoor = YAML.unsafe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
-        expect(backdoor).to be_exploited_through_setter
-      end
-
-      it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
-        backdoor = YAML.unsafe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
-        expect(backdoor).to be_exploited_through_init_with
-      end
-    end
-
-    it "allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object" do
-      backdoor = YAML.unsafe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
-      expect(backdoor).to be_exploited_through_ivars
-    end
-
-    context "with special whitelisted tags defined" do
-      before :each do
-        SafeYAML::whitelist!(OpenStruct)
-      end
-
-      it "effectively ignores the whitelist (since everything is whitelisted)" do
-        result = YAML.unsafe_load <<-YAML.unindent
-          --- !ruby/object:OpenStruct 
-          table: 
-            :backdoor: !ruby/object:ExploitableBackDoor 
-              foo: bar
-        YAML
-
-        expect(result).to be_a(OpenStruct)
-        expect(result.backdoor).to be_exploited_through_ivars
-      end
-    end
-  end
-
-  describe "safe_load" do
-    it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do
-      object = YAML.safe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
-      expect(object).not_to be_a(ExploitableBackDoor)
-    end
-
-    it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do
-      object = YAML.safe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
-      expect(object).not_to be_a(ExploitableBackDoor)
-    end
-
-    context "for YAML engine #{SafeYAML::YAML_ENGINE}" do
-      if SafeYAML::YAML_ENGINE == "psych"
-        let(:options) { nil }
-        let(:arguments) { ["foo: bar", nil, options] }
-
-        context "when no tags are whitelisted" do
-          it "constructs a SafeYAML::PsychHandler to resolve nodes as they're parsed, for optimal performance" do
-            expect(Psych::Parser).to receive(:new).with an_instance_of(SafeYAML::PsychHandler)
-            # This won't work now; we just want to ensure Psych::Parser#parse was in fact called.
-            YAML.safe_load(*arguments) rescue nil
-          end
-        end
-
-        context "when whitelisted tags are specified" do
-          let(:options) {
-            { :whitelisted_tags => ["foo"] }
-          }
-
-          it "instead uses Psych to construct a full tree before examining the nodes" do
-            expect(Psych).to receive(:parse)
-            # This won't work now; we just want to ensure Psych::Parser#parse was in fact called.
-            YAML.safe_load(*arguments) rescue nil
-          end
-        end
-      end
-
-      if SafeYAML::YAML_ENGINE == "syck"
-        it "uses Syck internally to parse YAML" do
-          expect(YAML).to receive(:parse).with("foo: bar")
-          # This won't work now; we just want to ensure YAML::parse was in fact called.
-          YAML.safe_load("foo: bar") rescue nil
-        end
-      end
-    end
-
-    it "loads a plain ol' YAML document just fine" do
-      result = YAML.safe_load <<-YAML.unindent
-        foo:
-          number: 1
-          boolean: true
-          nil: ~
-          string: Hello, there!
-          symbol: :blah
-          sequence:
-            - hi
-            - bye
-      YAML
-
-      expect(result).to eq({
-        "foo" => {
-          "number"   => 1,
-          "boolean"  => true,
-          "nil"      => nil,
-          "string"   => "Hello, there!",
-          "symbol"   => ":blah",
-          "sequence" => ["hi", "bye"]
-        }
-      })
-    end
-
-    it "works for YAML documents with anchors and aliases" do
-      result = YAML.safe_load <<-YAML
-        - &id001 {}
-        - *id001
-        - *id001
-      YAML
-
-      expect(result).to eq([{}, {}, {}])
-    end
-
-    it "works for YAML documents with binary tagged keys" do
-      result = YAML.safe_load <<-YAML
-        ? !!binary >
-          Zm9v
-        : "bar"
-        ? !!binary >
-          YmFy
-        : "baz"
-      YAML
-
-      expect(result).to eq({"foo" => "bar", "bar" => "baz"})
-    end
-
-    it "works for YAML documents with binary tagged values" do
-      result = YAML.safe_load <<-YAML
-        "foo": !!binary >
-          YmFy
-        "bar": !!binary >
-          YmF6
-      YAML
-
-      expect(result).to eq({"foo" => "bar", "bar" => "baz"})
-    end
-
-    it "works for YAML documents with binary tagged array values" do
-      result = YAML.safe_load <<-YAML
-        - !binary |-
-          Zm9v
-        - !binary |-
-          YmFy
-      YAML
-
-      expect(result).to eq(["foo", "bar"])
-    end
-
-    it "works for YAML documents with sections" do
-      result = YAML.safe_load <<-YAML
-        mysql: &mysql
-          adapter: mysql
-          pool: 30
-        login: &login
-          username: user
-          password: password123
-        development: &development
-          <<: *mysql
-          <<: *login
-          host: localhost
-      YAML
-
-      expect(result).to eq({
-        "mysql" => {
-          "adapter" => "mysql",
-          "pool"    => 30
-        },
-        "login" => {
-          "username" => "user",
-          "password" => "password123"
-        },
-        "development" => {
-          "adapter"  => "mysql",
-          "pool"     => 30,
-          "username" => "user",
-          "password" => "password123",
-          "host"     => "localhost"
-        }
-      })
-    end
-
-    it "correctly prefers explicitly defined values over default values from included sections" do
-      # Repeating this test 100 times to increase the likelihood of running into an issue caused by
-      # non-deterministic hash key enumeration.
-      100.times do
-        result = YAML.safe_load <<-YAML
-          defaults: &defaults
-            foo: foo
-            bar: bar
-            baz: baz
-          custom:
-            <<: *defaults
-            bar: custom_bar
-            baz: custom_baz
-        YAML
-
-        expect(result["custom"]).to eq({
-          "foo" => "foo",
-          "bar" => "custom_bar",
-          "baz" => "custom_baz"
-        })
-      end
-    end
-
-    it "works with multi-level inheritance" do
-      result = YAML.safe_load <<-YAML
-        defaults: &defaults
-          foo: foo
-          bar: bar
-          baz: baz
-        custom: &custom
-          <<: *defaults
-          bar: custom_bar
-          baz: custom_baz
-        grandcustom: &grandcustom
-          <<: *custom
-      YAML
-
-      expect(result).to eq({
-        "defaults"    => { "foo" => "foo", "bar" => "bar", "baz" => "baz" },
-        "custom"      => { "foo" => "foo", "bar" => "custom_bar", "baz" => "custom_baz" },
-        "grandcustom" => { "foo" => "foo", "bar" => "custom_bar", "baz" => "custom_baz" }
-      })
-    end
-
-    it "returns false when parsing an empty document" do
-      expect([
-        YAML.safe_load(""),
-        YAML.safe_load("     "),
-        YAML.safe_load("\n")
-      ]).to eq([false, false, false])
-    end
-
-    it "returns nil when parsing a single value representing nil" do
-      expect([
-        YAML.safe_load("~"),
-        YAML.safe_load("null")
-      ]).to eq([nil, nil])
-    end
-
-    context "with custom initializers defined" do
-      before :each do
-        if SafeYAML::YAML_ENGINE == "psych"
-          SafeYAML::OPTIONS[:custom_initializers] = {
-            "!set" => lambda { Set.new },
-            "!hashiemash" => lambda { Hashie::Mash.new }
-          }
-        else
-          SafeYAML::OPTIONS[:custom_initializers] = {
-            "tag:yaml.org,2002:set" => lambda { Set.new },
-            "tag:yaml.org,2002:hashiemash" => lambda { Hashie::Mash.new }
-          }
-        end
-      end
-
-      it "will use a custom initializer to instantiate an array-like class upon deserialization" do
-        result = YAML.safe_load <<-YAML.unindent
-          --- !set
-          - 1
-          - 2
-          - 3
-        YAML
-
-        expect(result).to be_a(Set)
-        expect(result.to_a).to match_array([1, 2, 3])
-      end
-
-      it "will use a custom initializer to instantiate a hash-like class upon deserialization" do
-        result = YAML.safe_load <<-YAML.unindent
-          --- !hashiemash
-          foo: bar
-        YAML
-
-        expect(result).to be_a(Hashie::Mash)
-        expect(result.to_hash).to eq({ "foo" => "bar" })
-      end
-    end
-
-    context "with special whitelisted tags defined" do
-      before :each do
-        SafeYAML::whitelist!(OpenStruct)
-
-        # Necessary for deserializing OpenStructs properly.
-        SafeYAML::OPTIONS[:deserialize_symbols] = true
-      end
-
-      it "will allow objects to be deserialized for whitelisted tags" do
-        result = YAML.safe_load("--- !ruby/object:OpenStruct\ntable:\n  foo: bar\n")
-        expect(result).to be_a(OpenStruct)
-        expect(result.instance_variable_get(:@table)).to eq({ "foo" => "bar" })
-      end
-
-      it "will not deserialize objects without whitelisted tags" do
-        result = YAML.safe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
-        expect(result).not_to be_a(ExploitableBackDoor)
-        expect(result).to eq({ "foo" => "bar" })
-      end
-
-      it "will not allow non-whitelisted objects to be embedded within objects with whitelisted tags" do
-        result = YAML.safe_load <<-YAML.unindent
-          --- !ruby/object:OpenStruct 
-          table: 
-            :backdoor: !ruby/object:ExploitableBackDoor 
-              foo: bar
-        YAML
-
-        expect(result).to be_a(OpenStruct)
-        expect(result.backdoor).not_to be_a(ExploitableBackDoor)
-        expect(result.backdoor).to eq({ "foo" => "bar" })
-      end
-
-      context "with the :raise_on_unknown_tag option enabled" do
-        before :each do
-          SafeYAML::OPTIONS[:raise_on_unknown_tag] = true
-        end
-
-        after :each do
-          SafeYAML.restore_defaults!
-        end
-
-        it "raises an exception if a non-nil, non-whitelisted tag is encountered" do
-          expect {
-            YAML.safe_load <<-YAML.unindent
-              --- !ruby/object:Unknown
-              foo: bar
-            YAML
-          }.to raise_error
-        end
-
-        it "checks all tags, even those within objects with trusted tags" do
-          expect {
-            YAML.safe_load <<-YAML.unindent
-              --- !ruby/object:OpenStruct
-              table:
-                :backdoor: !ruby/object:Unknown
-                  foo: bar
-            YAML
-          }.to raise_error
-        end
-
-        it "does not raise an exception as long as all tags are whitelisted" do
-          result = YAML.safe_load <<-YAML.unindent
-            --- !ruby/object:OpenStruct
-            table:
-              :backdoor:
-                string: foo
-                integer: 1
-                float: 3.14
-                symbol: :bar
-                date: 2013-02-20
-                array: []
-                hash: {}
-          YAML
-
-          expect(result).to be_a(OpenStruct)
-          expect(result.backdoor).to eq({
-            "string"  => "foo",
-            "integer" => 1,
-            "float"   => 3.14,
-            "symbol"  => :bar,
-            "date"    => Date.parse("2013-02-20"),
-            "array"   => [],
-            "hash"    => {}
-          })
-        end
-
-        it "does not raise an exception on the non-specific '!' tag" do
-          result = nil
-          expect { result = YAML.safe_load "--- ! 'foo'" }.to_not raise_error
-          expect(result).to eq("foo")
-        end
-
-        context "with whitelisted custom class" do
-          class SomeClass
-            attr_accessor :foo
-          end
-          let(:instance) { SomeClass.new }
-
-          before do
-            SafeYAML::whitelist!(SomeClass)
-            instance.foo = 'with trailing whitespace: '
-          end
-
-          it "does not raise an exception on the non-specific '!' tag" do
-            result = nil
-            expect { result = YAML.safe_load(instance.to_yaml) }.to_not raise_error
-            expect(result.foo).to eq('with trailing whitespace: ')
-          end
-        end
-      end
-    end
-
-    context "when options are passed direclty to #load which differ from the defaults" do
-      let(:default_options) { {} }
-
-      before :each do
-        SafeYAML::OPTIONS.merge!(default_options)
-      end
-
-      context "(for example, when symbol deserialization is enabled by default)" do
-        let(:default_options) { { :deserialize_symbols => true } }
-
-        it "goes with the default option when it is not overridden" do
-          silence_warnings do
-            expect(YAML.load(":foo: bar")).to eq({ :foo => "bar" })
-          end
-        end
-
-        it "allows the default option to be overridden on a per-call basis" do
-          silence_warnings do
-            expect(YAML.load(":foo: bar", :deserialize_symbols => false)).to eq({ ":foo" => "bar" })
-            expect(YAML.load(":foo: bar", :deserialize_symbols => true)).to eq({ :foo => "bar" })
-          end
-        end
-      end
-
-      context "(or, for example, when certain tags are whitelisted)" do
-        let(:default_options) {
-          {
-            :deserialize_symbols => true,
-            :whitelisted_tags => SafeYAML::YAML_ENGINE == "psych" ?
-              ["!ruby/object:OpenStruct"] :
-              ["tag:ruby.yaml.org,2002:object:OpenStruct"]
-          }
-        }
-
-        it "goes with the default option when it is not overridden" do
-          result = safe_load_round_trip(OpenStruct.new(:foo => "bar"))
-          expect(result).to be_a(OpenStruct)
-          expect(result.foo).to eq("bar")
-        end
-
-        it "allows the default option to be overridden on a per-call basis" do
-          result = safe_load_round_trip(OpenStruct.new(:foo => "bar"), :whitelisted_tags => [])
-          expect(result).to eq({ "table" => { :foo => "bar" } })
-
-          result = safe_load_round_trip(OpenStruct.new(:foo => "bar"), :deserialize_symbols => false, :whitelisted_tags => [])
-          expect(result).to eq({ "table" => { ":foo" => "bar" } })
-        end
-      end
-    end
-  end
-
-  describe "unsafe_load_file" do
-    if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3"
-      it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do
-        backdoor = YAML.unsafe_load_file "spec/exploit.1.9.3.yaml"
-        expect(backdoor).to be_exploited_through_setter
-      end
-    end
-
-    if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.2"
-      it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
-        backdoor = YAML.unsafe_load_file "spec/exploit.1.9.2.yaml"
-        expect(backdoor).to be_exploited_through_init_with
-      end
-    end
-
-    it "allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object" do
-      backdoor = YAML.unsafe_load_file "spec/exploit.1.9.2.yaml"
-      expect(backdoor).to be_exploited_through_ivars
-    end
-  end
-
-  describe "safe_load_file" do
-    it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do
-      object = YAML.safe_load_file "spec/exploit.1.9.3.yaml"
-      expect(object).not_to be_a(ExploitableBackDoor)
-    end
-
-    it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do
-      object = YAML.safe_load_file "spec/exploit.1.9.2.yaml"
-      expect(object).not_to be_a(ExploitableBackDoor)
-    end
-    
-    it "returns false when parsing an empty file" do
-      expect(YAML.safe_load_file("spec/issue49.yml")).to eq(false)
-    end
-  end
-
-  describe "load" do
-    let(:options) { {} }
-
-    let (:arguments) {
-      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
-        ["foo: bar", nil, options]
-      else
-        ["foo: bar", options]
-      end
-    }
-
-    context "as long as a :default_mode has been specified" do
-      it "doesn't issue a warning for safe mode, since an explicit mode has been set" do
-        SafeYAML::OPTIONS[:default_mode] = :safe
-        expect(Kernel).not_to receive(:warn)
-        YAML.load(*arguments)
-      end
-
-      it "doesn't issue a warning for unsafe mode, since an explicit mode has been set" do
-        SafeYAML::OPTIONS[:default_mode] = :unsafe
-        expect(Kernel).not_to receive(:warn)
-        YAML.load(*arguments)
-      end
-    end
-
-    context "when the :safe options is specified" do
-      let(:safe_mode) { true }
-      let(:options) { { :safe => safe_mode } }
-
-      it "doesn't issue a warning" do
-        expect(Kernel).not_to receive(:warn)
-        YAML.load(*arguments)
-      end
-
-      it "calls #safe_load if the :safe option is set to true" do
-        expect(YAML).to receive(:safe_load)
-        YAML.load(*arguments)
-      end
-
-      context "when the :safe option is set to false" do
-        let(:safe_mode) { false }
-
-        it "calls #unsafe_load if the :safe option is set to false" do
-          expect(YAML).to receive(:unsafe_load)
-          YAML.load(*arguments)
-        end
-      end
-    end
-
-    it "issues a warning when the :safe option is omitted" do
-      silence_warnings do
-        expect(Kernel).to receive(:warn)
-        YAML.load(*arguments)
-      end
-    end
-
-    it "only issues a warning once (to avoid spamming an app's output)" do
-      silence_warnings do
-        expect(Kernel).to receive(:warn).once
-        2.times { YAML.load(*arguments) }
-      end
-    end
-
-    it "defaults to safe mode if the :safe option is omitted" do
-      silence_warnings do
-        expect(YAML).to receive(:safe_load)
-        YAML.load(*arguments)
-      end
-    end
-
-    context "with the default mode set to :unsafe" do
-      before :each do
-        SafeYAML::OPTIONS[:default_mode] = :unsafe
-      end
-
-      it "defaults to unsafe mode if the :safe option is omitted" do
-        silence_warnings do
-          expect(YAML).to receive(:unsafe_load)
-          YAML.load(*arguments)
-        end
-      end
-
-      it "calls #safe_load if the :safe option is set to true" do
-        expect(YAML).to receive(:safe_load)
-        YAML.load(*(arguments + [{ :safe => true }]))
-      end
-    end
-  end
-
-  describe "load_file" do
-    let(:filename) { "spec/exploit.1.9.2.yaml" } # doesn't really matter
-
-    it "issues a warning if the :safe option is omitted" do
-      silence_warnings do
-        expect(Kernel).to receive(:warn)
-        YAML.load_file(filename)
-      end
-    end
-
-    it "doesn't issue a warning as long as the :safe option is specified" do
-      expect(Kernel).not_to receive(:warn)
-      YAML.load_file(filename, :safe => true)
-    end
-
-    it "defaults to safe mode if the :safe option is omitted" do
-      silence_warnings do
-        expect(YAML).to receive(:safe_load_file)
-        YAML.load_file(filename)
-      end
-    end
-
-    it "calls #safe_load_file if the :safe option is set to true" do
-      expect(YAML).to receive(:safe_load_file)
-      YAML.load_file(filename, :safe => true)
-    end
-
-    it "calls #unsafe_load_file if the :safe option is set to false" do
-      expect(YAML).to receive(:unsafe_load_file)
-      YAML.load_file(filename, :safe => false)
-    end
-
-    context "with arbitrary object deserialization enabled by default" do
-      before :each do
-        SafeYAML::OPTIONS[:default_mode] = :unsafe
-      end
-
-      it "defaults to unsafe mode if the :safe option is omitted" do
-        silence_warnings do
-          expect(YAML).to receive(:unsafe_load_file)
-          YAML.load_file(filename)
-        end
-      end
-
-      it "calls #safe_load if the :safe option is set to true" do
-        expect(YAML).to receive(:safe_load_file)
-        YAML.load_file(filename, :safe => true)
-      end
-    end
-
-    it "handles files starting with --- (see issue #48)" do
-      expect(YAML.load_file("spec/issue48.txt", :safe => true)).to eq({
-        "title" => "Blah",
-        "key"   => "value"
-      })
-    end
-
-    it "handles content starting with --- (see issue #48)" do
-      yaml = File.read("spec/issue48.txt")
-      expect(YAML.load(yaml, :safe => true)).to eq({
-        "title" => "Blah",
-        "key"   => "value"
-      })
-    end
-  end
-
-  describe "whitelist!" do
-    context "not a class" do
-      it "should raise" do
-        expect { SafeYAML::whitelist! :foo }.to raise_error(/not a Class/)
-        expect(SafeYAML::OPTIONS[:whitelisted_tags]).to be_empty
-      end
-    end
-
-    context "anonymous class" do
-      it "should raise" do
-        expect { SafeYAML::whitelist! Class.new }.to raise_error(/cannot be anonymous/)
-        expect(SafeYAML::OPTIONS[:whitelisted_tags]).to be_empty
-      end
-    end
-
-    context "with a Class as its argument" do
-      it "should configure correctly" do
-        expect { SafeYAML::whitelist! OpenStruct }.to_not raise_error
-        expect(SafeYAML::OPTIONS[:whitelisted_tags].grep(/OpenStruct\Z/)).not_to be_empty
-      end
-
-      it "successfully deserializes the specified class" do
-        SafeYAML.whitelist!(OpenStruct)
-
-        # necessary for properly assigning OpenStruct attributes
-        SafeYAML::OPTIONS[:deserialize_symbols] = true
-
-        result = safe_load_round_trip(OpenStruct.new(:foo => "bar"))
-        expect(result).to be_a(OpenStruct)
-        expect(result.foo).to eq("bar")
-      end
-
-      it "works for ranges" do
-        SafeYAML.whitelist!(Range)
-        expect(safe_load_round_trip(1..10)).to eq(1..10)
-      end
-
-      it "works for regular expressions" do
-        SafeYAML.whitelist!(Regexp)
-        expect(safe_load_round_trip(/foo/)).to eq(/foo/)
-      end
-
-      it "works for multiple classes" do
-        SafeYAML.whitelist!(Range, Regexp)
-        expect(safe_load_round_trip([(1..10), /bar/])).to eq([(1..10), /bar/])
-      end
-
-      it "works for arbitrary Exception subclasses" do
-        class CustomException < Exception
-          attr_reader :custom_message
-
-          def initialize(custom_message)
-            @custom_message = custom_message
-          end
-        end
-
-        SafeYAML.whitelist!(CustomException)
-
-        ex = safe_load_round_trip(CustomException.new("blah"))
-        expect(ex).to be_a(CustomException)
-        expect(ex.custom_message).to eq("blah")
-      end
-    end
-  end
-end