crack 0.4.1 → 0.4.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +7 -0
  2. data/crack.gemspec +1 -1
  3. data/lib/crack/json.rb +7 -2
  4. data/lib/crack/version.rb +1 -1
  5. data/test/json_test.rb +5 -0
  6. metadata +9 -13
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: dd9edd7d26ac3281a9fd55016709019b9f3d8f50
4
+ data.tar.gz: b6a141ff1f15d25fb0b1217d0a265b050a260590
5
+ SHA512:
6
+ metadata.gz: 66ba343bb6aee32b946a472f504d570d4eb178984cf1ae65582f18f00ffe1f648e07835b20f7ade971ce9ee253c5e8ef829b34320fe71af77e8141b22f956fdd
7
+ data.tar.gz: 3be356c152ff9074973c3dbd4eefce2cc04ab20fe97127cf7d4d1ae2865531928c7e9ccae5529d4e05beb6b78b0e58a4bd03bada157fcaa6a931eac2086a3c3b
data/crack.gemspec CHANGED
@@ -16,5 +16,5 @@ Gem::Specification.new do |gem|
16
16
  gem.version = Crack::VERSION
17
17
  gem.license = "MIT"
18
18
 
19
- gem.add_dependency "safe_yaml", "~> 0.9.0"
19
+ gem.add_dependency "safe_yaml", "~> 1.0.0"
20
20
  end
data/lib/crack/json.rb CHANGED
@@ -3,7 +3,7 @@
3
3
  # The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
4
4
  # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
5
5
 
6
- require 'yaml'
6
+ require 'safe_yaml/load'
7
7
  require 'strscan'
8
8
 
9
9
  module Crack
@@ -23,7 +23,12 @@ module Crack
23
23
  end
24
24
 
25
25
  def self.parse(json)
26
- YAML.load(unescape(convert_json_to_yaml(json)))
26
+ args = [unescape(convert_json_to_yaml(json))]
27
+ args << nil if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
28
+ args << { :whitelisted_tags => ['!ruby/regexp'] }
29
+
30
+ SafeYAML.load(*args)
31
+
27
32
  rescue *parser_exceptions
28
33
  raise ParseError, "Invalid JSON string"
29
34
  end
data/lib/crack/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Crack
2
- VERSION = "0.4.1"
2
+ VERSION = "0.4.2"
3
3
  end
data/test/json_test.rb CHANGED
@@ -49,6 +49,11 @@ describe "JSON Parsing" do
49
49
  end
50
50
  end
51
51
 
52
+ it "is not vulnerable to YAML deserialization exploits" do
53
+ class Foo; end
54
+ refute_instance_of(Foo, Crack::JSON.parse("# '---/\n--- !ruby/object:Foo\n foo: bar"))
55
+ end
56
+
52
57
  it "raise error for failed decoding" do
53
58
  assert_raises(Crack::ParseError) {
54
59
  Crack::JSON.parse(%({: 1}))
metadata CHANGED
@@ -1,32 +1,29 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: crack
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.1
5
- prerelease:
4
+ version: 0.4.2
6
5
  platform: ruby
7
6
  authors:
8
7
  - John Nunemaker
9
8
  autorequire:
10
9
  bindir: bin
11
10
  cert_chain: []
12
- date: 2013-07-16 00:00:00.000000000 Z
11
+ date: 2014-02-02 00:00:00.000000000 Z
13
12
  dependencies:
14
13
  - !ruby/object:Gem::Dependency
15
14
  name: safe_yaml
16
15
  requirement: !ruby/object:Gem::Requirement
17
- none: false
18
16
  requirements:
19
17
  - - ~>
20
18
  - !ruby/object:Gem::Version
21
- version: 0.9.0
19
+ version: 1.0.0
22
20
  type: :runtime
23
21
  prerelease: false
24
22
  version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
23
  requirements:
27
24
  - - ~>
28
25
  - !ruby/object:Gem::Version
29
- version: 0.9.0
26
+ version: 1.0.0
30
27
  description: Really simple JSON and XML parsing, ripped from Merb and Rails.
31
28
  email:
32
29
  - nunemaker@gmail.com
@@ -59,27 +56,26 @@ files:
59
56
  homepage: http://github.com/jnunemaker/crack
60
57
  licenses:
61
58
  - MIT
59
+ metadata: {}
62
60
  post_install_message:
63
61
  rdoc_options: []
64
62
  require_paths:
65
63
  - lib
66
64
  required_ruby_version: !ruby/object:Gem::Requirement
67
- none: false
68
65
  requirements:
69
- - - ! '>='
66
+ - - '>='
70
67
  - !ruby/object:Gem::Version
71
68
  version: '0'
72
69
  required_rubygems_version: !ruby/object:Gem::Requirement
73
- none: false
74
70
  requirements:
75
- - - ! '>='
71
+ - - '>='
76
72
  - !ruby/object:Gem::Version
77
73
  version: '0'
78
74
  requirements: []
79
75
  rubyforge_project:
80
- rubygems_version: 1.8.23
76
+ rubygems_version: 2.0.3
81
77
  signing_key:
82
- specification_version: 3
78
+ specification_version: 4
83
79
  summary: Really simple JSON and XML parsing, ripped from Merb and Rails.
84
80
  test_files:
85
81
  - test/data/twittersearch-firefox.json