crass 1.0.5 → 1.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 335330d4d7d855e20733747cc6f01cf3513c176c37dd107c473f525b94c2bbfc
-  data.tar.gz: aec721d58cd3f1017fc957f7ae9d8b47f0e811db22649535ab64da580a6db70f
+  metadata.gz: a90afad390dcbfa666bb15dcc55ff6bc7711a4fabd9e5a920c53783bc22d2c8b
+  data.tar.gz: ba5fe09c8233f06503da5bf0f89a9c716cb19aa6b867eb6e1bff3f3d7153446d
 SHA512:
-  metadata.gz: df7fc13c7c363a4aaf44986f62eabbce1fe9da744797bdcdf3148628d1c8447e69c24b6df2b33325bebe88951e195ccb43c9a5e50b2e1e920fab782aa5f532dc
-  data.tar.gz: 38cfc577fcd184f175ba37b54f7e8638086a4c9817eb54c24b1c53a62f0437d4e97f9b87b8e81422511bf20c5eb2452f85838c6f822b89634fa944211eab3071
+  metadata.gz: efc02970ebefe0e0baf624b97c4aa43f9ce95c39acb7c3a8ccd8e5e74d56545bf9ee4efb0b5d67ba4c5e80f1c13563e8fbc1332feea7cd0ac6c207312c57cab4
+  data.tar.gz: 999316893f90a5f3a7fc9cd48dd20f2f1afd8c3087e772bec065bde19bfe08ad59d7430e786b232bd03f78a3f8054bc79cb4800130cab66ddaf93aff1dcc4a47

data/.github/workflows/tests.yml

@@ -0,0 +1,25 @@
+name: Tests
+on: [ push, pull_request ]
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+        ruby:
+          - '3.3'
+          - '3.4'
+          - jruby
+          - ruby
+          - ruby-head
+    continue-on-error: ${{ endsWith(matrix.ruby, 'head') }}
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v7
+      - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0
+        with:
+          bundler-cache: true
+          ruby-version: ${{ matrix.ruby }}
+      - run: bundle exec rake

data/HISTORY.md

@@ -1,121 +1,89 @@
-Crass Change History
-====================
+# Crass Changelog
 
-1.0.5 (2019-10-15)
-------------------
+## 1.0.7 (2026-06-25)
 
-* Removed test files from the gem. [@t-richards - #8][8]
+### Security
 
-[8]:https://github.com/rgrove/crass/pull/8
+- High: Fixed a denial of service vulnerability in which a large numeric exponent could consume disproportionate CPU and memory before the value was clamped. Exponents are now bounded before `10**exponent` is computed. (GHSA-6wmf-3r64-vcwv)
 
+- Moderate: Fixed a scenario in which deeply nested simple blocks or functions could exhaust the Ruby stack and raise `SystemStackError`, or could result in excessive memory usage. Parser nesting is now limited to a configurable maximum depth via a new option (`:maximum_depth`, with a conservative default of 25). Constructs nested more deeply are discarded as an `:error` node with the value "maximum-depth-exceeded". (GHSA-6jxj-px6v-747w)
 
-1.0.4 (2018-04-08)
-------------------
+- Moderate: Fixed a scenario in which a long run of adjacent comments could exhaust the Ruby stack and raise `SystemStackError`. Discarded comments are now skipped iteratively rather than recursively. (GHSA-wwpr-jff3-395c)
 
-* Fixed whitespace warnings. (#7 - @yahonda)
+- Moderate: Fixed a denial of service vulnerability in which inputs containing many non-ASCII characters could cause excessive CPU usage due to inefficient handling of multi-byte characters during tokenization. (GHSA-8vfg-2r28-hvhj)
 
+## 1.0.6 (2020-01-12)
 
-1.0.3 (2017-11-13)
-------------------
+- Number values are now limited to a maximum of `Float::MAX` and a minimum of negative `Float::MAX`. (#11)
 
-* Added support for frozen string literals. (#3 - @flavorjones)
+- Added project metadata to the gemspec. (#9 - @orien)
 
+## 1.0.5 (2019-10-15)
 
-1.0.2 (2015-04-17)
-------------------
+- Removed test files from the gem. (#8 - @t-richards)
 
-* Fixed: An at-rule immediately followed by a `{}` simple block would have the
-  block (and subsequent tokens until a semicolon) incorrectly appended to its
-  prelude. This was super dumb and made me very sad.
+## 1.0.4 (2018-04-08)
 
+- Fixed whitespace warnings. (#7 - @yahonda)
 
-1.0.1 (2014-11-16)
-------------------
+## 1.0.3 (2017-11-13)
 
-* Fixed: Modifications made to the block of an `:at_rule` node in a parse tree
-  weren't reflected when that node was stringified. This was a regression
-  introduced in 1.0.0.
+- Added support for frozen string literals. (#3 - @flavorjones)
 
+## 1.0.2 (2015-04-17)
 
-1.0.0 (2014-11-16)
-------------------
+- Fixed: An at-rule immediately followed by a `{}` simple block would have the block (and subsequent tokens until a semicolon) incorrectly appended to its prelude. This was super dumb and made me very sad.
 
-* Many parsing and tokenization tweaks to bring us into full compliance with the
-  [14 November 2014 editor's draft][css-syntax-draft] of the CSS syntax spec.
-  The most significant outwardly visible change is that quoted URLs like
-  `url("foo")` are now returned as `:function` tokens and not `:url` tokens due
-  to a change in the tokenization spec.
+## 1.0.1 (2014-11-16)
 
-* Teensy tiny speed and memory usage improvements that you almost certainly
-  won't notice.
+- Fixed: Modifications made to the block of an `:at_rule` node in a parse tree weren't reflected when that node was stringified. This was a regression introduced in 1.0.0.
 
-* Fixed: A semicolon following a `@charset` rule would be omitted during
-  serialization.
+## 1.0.0 (2014-11-16)
 
-* Fixed: A multibyte char at the beginning of an id token could trigger an
-  encoding error because `StringScanner#peek` is a jerkface.
+- Many parsing and tokenization tweaks to bring us into full compliance with the [14 November 2014 editor's draft](http://dev.w3.org/csswg/css-syntax-3/) of the CSS syntax spec. The most significant outwardly visible change is that quoted URLs like `url("foo")` are now returned as `:function` tokens and not `:url` tokens due to a change in the tokenization spec.
 
-[css-syntax-draft]:http://dev.w3.org/csswg/css-syntax-3/
+- Teensy tiny speed and memory usage improvements that you almost certainly won't notice.
 
+- Fixed: A semicolon following a `@charset` rule would be omitted during serialization.
 
-0.2.1 (2014-07-22)
-------------------
+- Fixed: A multibyte char at the beginning of an id token could trigger an encoding error because `StringScanner#peek` is a jerkface.
 
-* Fixed: Error when the last property of a rule has no value and no terminating
-  semicolon. [#2][]
+## 0.2.1 (2014-07-22)
 
-[#2]:https://github.com/rgrove/crass/issues/2
+- Fixed: Error when the last property of a rule has no value and no terminating semicolon. [#2](https://github.com/rgrove/crass/issues/2)
 
+## 0.2.0 (2013-10-10)
 
-0.2.0 (2013-10-10)
-------------------
+- Added a `:children` field to `:property` nodes. It's an array containing all the nodes that make up the property's value.
 
-* Added a `:children` field to `:property` nodes. It's an array containing all
-  the nodes that make up the property's value.
+- Fixed: Incorrect value was given for `:property` nodes whose values contained functions.
 
-* Fixed: Incorrect value was given for `:property` nodes whose values contained
-  functions.
+- Fixed: When parsing the value of an at-rule's block as a list of rules, a selector containing a function (such as `#foo:not(.bar)`) would cause that property and the rest of the token stream to be discarded.
 
-* Fixed: When parsing the value of an at-rule's block as a list of rules, a
-  selector containing a function (such as `#foo:not(.bar)`) would cause that
-  property and the rest of the token stream to be discarded.
+## 0.1.0 (2013-10-04)
 
+- Tokenization is a little over 50% faster.
 
-0.1.0 (2013-10-04)
-------------------
+- Added tons of unit tests.
 
-* Tokenization is a little over 50% faster.
+- Added `Crass.parse_properties` and `Crass::Parser.parse_properties`, which can be used to parse the contents of an HTML element's `style` attribute.
 
-* Added tons of unit tests.
+- Added `Crass::Parser.parse_rules`, which can be used to parse the contents of an `:at_rule` block like `@media` that may contain style rules.
 
-* Added `Crass.parse_properties` and `Crass::Parser.parse_properties`, which can
-  be used to parse the contents of an HTML element's `style` attribute.
+- Fixed: `Crass::Parser#consume_at_rule` and `#consume_qualified_rule` didn't properly handle already-parsed `:simple_block` nodes in the input, which occurs when parsing rules in the value of an `:at_rule` block.
 
-* Added `Crass::Parser.parse_rules`, which can be used to parse the contents of
-  an `:at_rule` block like `@media` that may contain style rules.
+- Fixed: On `:property` nodes, `:important` is now set to `true` when the property is followed by an "!important" declaration.
 
-* Fixed: `Crass::Parser#consume_at_rule` and `#consume_qualified_rule` didn't
-  properly handle already-parsed `:simple_block` nodes in the input, which
-  occurs when parsing rules in the value of an `:at_rule` block.
+- Fixed: "!important" is no longer included in the value of a `:property` node.
 
-* Fixed: On `:property` nodes, `:important` is now set to `true` when the
-  property is followed by an "!important" declaration.
+- Fixed: A variety of tokenization bugs uncovered by tests.
 
-* Fixed: "!important" is no longer included in the value of a `:property` node.
+- Fixed: Added a workaround for a possible spec bug when an `:at_keyword` is encountered while consuming declarations.
 
-* Fixed: A variety of tokenization bugs uncovered by tests.
+## 0.0.2 (2013-09-30)
 
-* Fixed: Added a workaround for a possible spec bug when an `:at_keyword` is
-  encountered while consuming declarations.
+- Fixed: `:at_rule` nodes now have a `:name` key.
 
+## 0.0.1 (2013-09-27)
 
-0.0.2 (2013-09-30)
-------------------
-
-* Fixed: `:at_rule` nodes now have a `:name` key.
-
-
-0.0.1 (2013-09-27)
-------------------
-
-* Initial release.
+- Initial release.

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2017 Ryan Grove (ryan@wonko.com)
+Copyright Ryan Grove <ryan@wonko.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the ‘Software’), to deal in

data/README.md

@@ -1,64 +1,47 @@
-Crass
-=====
+# Crass
 
-Crass is a Ruby CSS parser that's fully compliant with the
-[CSS Syntax Level 3][css] specification.
+Crass is a Ruby CSS parser that's fully compliant with the [CSS Syntax Level 3](http://dev.w3.org/csswg/css-syntax/) specification.
 
-* [Home](https://github.com/rgrove/crass/)
-* [API Docs](http://rubydoc.info/github/rgrove/crass/master)
-
-[![Build Status](https://travis-ci.org/rgrove/crass.svg?branch=master)](https://travis-ci.org/rgrove/crass)
 [![Gem Version](https://badge.fury.io/rb/crass.svg)](http://badge.fury.io/rb/crass)
+[![Tests](https://github.com/rgrove/crass/actions/workflows/tests.yml/badge.svg)](https://github.com/rgrove/crass/actions/workflows/tests.yml)
+
+## Links
+
+- [Home](https://github.com/rgrove/crass/)
+- [API Docs](https://rubydoc.info/github/rgrove/crass/Crass)
 
-Features
---------
 
-* Pure Ruby, with no runtime dependencies other than Ruby 1.9.x or higher.
+## Features
 
-* Tokenizes and parses CSS according to the rules defined in the 14 November
-  2014 editor's draft of the [CSS Syntax Level 3][css] specification.
+- Pure Ruby, with no runtime dependencies other than Ruby 1.9.x or higher.
 
-* Extremely tolerant of broken or invalid CSS. If a browser can handle it, Crass
-  should be able to handle it too.
+- Tokenizes and parses CSS according to the rules defined in the 14 November 2014 editor's draft of the [CSS Syntax Level 3](http://dev.w3.org/csswg/css-syntax/) specification.
 
-* Optionally includes comments in the token stream.
+- Extremely tolerant of broken or invalid CSS. If a browser can handle it, Crass should be able to handle it too.
 
-* Optionally preserves certain CSS hacks, such as the IE "*" hack, which would
-  otherwise be discarded according to CSS3 tokenizing rules.
+- Optionally includes comments in the token stream.
 
-* Capable of serializing the parse tree back to CSS while maintaining all
-  original whitespace, comments, and indentation.
+- Optionally preserves certain CSS hacks, such as the IE "*" hack, which would otherwise be discarded according to CSS3 tokenizing rules.
 
-[css]: http://dev.w3.org/csswg/css-syntax/
+- Capable of serializing the parse tree back to CSS while maintaining all original whitespace, comments, and indentation.
 
-Problems
---------
+## Problems
 
-* Crass isn't terribly fast. I mean, it's Ruby, and it's not really slow by Ruby
-  standards. But compared to the CSS parser in your average browser? Yeah, it's
-  slow.
+- Crass isn't terribly fast. I mean, it's Ruby, and it's not really slow by Ruby standards. But compared to the CSS parser in your average browser? Yeah, it's slow.
 
-* Crass only parses the CSS syntax; it doesn't understand what any of it means,
-  doesn't coalesce selectors, etc. You can do this yourself by consuming the
-  parse tree, though.
+- Crass only parses the CSS syntax; it doesn't understand what any of it means, doesn't coalesce selectors, etc. You can do this yourself by consuming the parse tree, though.
 
-* While any node in the parse tree (or the parse tree as a whole) can be
-  serialized back to CSS with perfect fidelity, changes made to those nodes
-  (except for wholesale removal of nodes) are not reflected in the serialized
-  output.
+- While any node in the parse tree (or the parse tree as a whole) can be serialized back to CSS with perfect fidelity, changes made to those nodes (except for wholesale removal of nodes) are not reflected in the serialized output.
 
-* Crass only supports UTF-8 input and doesn't respect `@charset` rules. Input in
-  any other encoding will be converted to UTF-8.
+- Crass only supports UTF-8 input and doesn't respect `@charset` rules. Input in any other encoding will be converted to UTF-8.
 
-Installing
-----------
+## Installing
 
 ```
 gem install crass
 ```
 
-Examples
---------
+## Examples
 
 Say you have a string containing some CSS:
 
@@ -76,7 +59,7 @@ Parsing it is simple:
 tree = Crass.parse(css, :preserve_comments => true)
 ```
 
-This returns a big fat beautiful parse tree, which looks like this:
+This returns a big beautiful parse tree, which looks like this:
 
 ```ruby
 [{:node=>:comment, :pos=>0, :raw=>"/* Comment! */", :value=>" Comment! "},
@@ -151,64 +134,20 @@ a:hover {
 
 Wasn't that exciting?
 
-A Note on Versioning
---------------------
-
-As of version 1.0.0, Crass adheres strictly to [SemVer 2.0][semver].
-
-[semver]:http://semver.org/spec/v2.0.0.html
-
-Contributing
-------------
-
-The best way to contribute is to use Crass and [create issues][issue] when you
-run into problems.
-
-Pull requests that fix bugs are more than welcome as long as they include tests.
-Please adhere to the style and format of the surrounding code, or I might ask
-you to change things.
-
-If you want to add a feature or refactor something, please get in touch first to
-make sure I'm on board with your idea and approach; I'm pretty picky, and I'd
-hate to have to turn down a pull request you spent a lot of time on.
-
-[issue]: https://github.com/rgrove/crass/issues/new
-
-Acknowledgments
----------------
+## Versioning
 
-I'm deeply, deeply grateful to [Simon Sapin][simon] for his wonderfully
-comprehensive [CSS parsing tests][css-tests], which I adapted to create many of
-Crass's tests. They've been invaluable in helping me fix bugs and handle weird
-edge cases, and Crass would be much crappier without them.
+As of version 1.0.0, Crass adheres strictly to [SemVer 2.0](http://semver.org/spec/v2.0.0.html).
 
-I'm also grateful to [Tab Atkins Jr.][tab] and Simon Sapin (again!) for their
-work on the [CSS Syntax Level 3][spec] specification, which defines the
-tokenizing and parsing rules that Crass implements.
+## Contributing
 
-[css-tests]:https://github.com/SimonSapin/css-parsing-tests/
-[simon]:http://exyr.org/about/
-[spec]:http://www.w3.org/TR/css-syntax-3/
-[tab]:http://www.xanthir.com/contact/
+The best way to contribute is to use Crass and [create issues](https://github.com/rgrove/crass/issues/new) when you run into problems.
 
-License
--------
+Pull requests that fix bugs are more than welcome as long as they include tests. Please adhere to the style and format of the surrounding code, or I might ask you to change things.
 
-Copyright (c) 2017 Ryan Grove (ryan@wonko.com)
+If you want to add a feature or refactor something, please get in touch first to make sure I'm on board with your idea and approach; I'm pretty picky, and I'd hate to have to turn down a pull request you spent a lot of time on.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the ‘Software’), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
+## Acknowledgments
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+I'm deeply grateful to [Simon Sapin](http://exyr.org/about/) for his wonderfully comprehensive [CSS parsing tests](https://github.com/SimonSapin/css-parsing-tests/), which I adapted to create many of Crass's tests. They've been invaluable in helping me fix bugs and handle weird edge cases, and Crass would be much crappier without them.
 
-THE SOFTWARE IS PROVIDED ‘AS IS’, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+I'm also grateful to [Tab Atkins-Bittner](https://www.xanthir.com/contact/) and Simon Sapin (again!) for their work on the [CSS Syntax Level 3](http://www.w3.org/TR/css-syntax-3/) specification, which defines the tokenizing and parsing rules that Crass implements.

data/crass.gemspec

@@ -2,14 +2,22 @@
 require './lib/crass/version'
 
 Gem::Specification.new do |s|
-  s.name        = 'crass'
-  s.summary     = 'CSS parser based on the CSS Syntax Level 3 spec.'
+  s.name = 'crass'
+  s.summary = 'CSS parser based on the CSS Syntax Level 3 spec.'
   s.description = 'Crass is a pure Ruby CSS parser based on the CSS Syntax Level 3 spec.'
-  s.version     = Crass::VERSION
-  s.authors     = ['Ryan Grove']
-  s.email       = ['ryan@wonko.com']
-  s.homepage    = 'https://github.com/rgrove/crass/'
-  s.license     = 'MIT'
+  s.version = Crass::VERSION
+  s.authors = ['Ryan Grove']
+  s.email = ['ryan@wonko.com']
+  s.homepage = 'https://github.com/rgrove/crass/'
+  s.license = 'MIT'
+
+  s.metadata = {
+    'bug_tracker_uri' => 'https://github.com/rgrove/crass/issues',
+    'changelog_uri' => "https://github.com/rgrove/crass/blob/v#{s.version}/HISTORY.md",
+    'documentation_uri' => "https://www.rubydoc.info/gems/crass/#{s.version}",
+    'rubygems_mfa_required' => 'true',
+    'source_code_uri' => "https://github.com/rgrove/crass/tree/v#{s.version}",
+  }
 
   s.platform = Gem::Platform::RUBY
   s.required_ruby_version = Gem::Requirement.new('>= 1.9.2')
@@ -19,6 +27,6 @@ Gem::Specification.new do |s|
   s.files = `git ls-files -z`.split("\x0").grep_v(%r{^test/})
 
   # Development dependencies.
-  s.add_development_dependency 'minitest', '~> 5.0.8'
-  s.add_development_dependency 'rake',     '~> 10.1.0'
+  s.add_development_dependency 'minitest', '~> 6.0.6'
+  s.add_development_dependency 'rake', '~> 13.4.2'
 end

data/lib/crass/parser.rb

@@ -6,7 +6,7 @@ module Crass
 
   # Parses a CSS string or list of tokens.
   #
-  # 5. http://dev.w3.org/csswg/css-syntax/#parsing
+  # 5. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parsing
   class Parser
     BLOCK_END_TOKENS = {
       :'{' => :'}',
@@ -14,14 +14,28 @@ module Crass
       :'(' => :')'
     }
 
+    # Default maximum nesting depth for simple blocks and functions. This is far
+    # higher than any legitimate CSS needs, but far below the depth at which
+    # Ruby would raise `SystemStackError` while recursively parsing nested
+    # constructs.
+    #
+    # Keeping this low also bounds memory usage: each nested simple block and
+    # function retains a `:tokens` array spanning its descendants for
+    # serialization, so the total serialization metadata grows with nesting
+    # depth. A modest limit prevents deeply nested (but otherwise valid) input
+    # from amplifying memory disproportionately.
+    #
+    # It can be overridden with the `:maximum_depth` option.
+    DEFAULT_MAXIMUM_DEPTH = 25
+
     # -- Class Methods ---------------------------------------------------------
 
     # Parses CSS properties (such as the contents of an HTML element's `style`
     # attribute) and returns a parse tree.
     #
-    # See {Tokenizer#initialize} for _options_.
+    # See {Crass.parse} for _options_.
     #
-    # 5.3.6. http://dev.w3.org/csswg/css-syntax/#parse-a-list-of-declarations
+    # 5.3.6. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-list-of-declarations
     def self.parse_properties(input, options = {})
       Parser.new(input, options).parse_properties
     end
@@ -30,9 +44,9 @@ module Crass
     # parse tree. The only difference from {parse_stylesheet} is that CDO/CDC
     # nodes (`<!--` and `-->`) aren't ignored.
     #
-    # See {Tokenizer#initialize} for _options_.
+    # See {Crass.parse} for _options_.
     #
-    # 5.3.3. http://dev.w3.org/csswg/css-syntax/#parse-a-list-of-rules
+    # 5.3.3. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-list-of-rules
     def self.parse_rules(input, options = {})
       parser = Parser.new(input, options)
       rules  = parser.consume_rules
@@ -48,9 +62,9 @@ module Crass
 
     # Parses a CSS stylesheet and returns a parse tree.
     #
-    # See {Tokenizer#initialize} for _options_.
+    # See {Crass.parse} for _options_.
     #
-    # 5.3.2. http://dev.w3.org/csswg/css-syntax/#parse-a-stylesheet
+    # 5.3.2. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-stylesheet
     def self.parse_stylesheet(input, options = {})
       parser = Parser.new(input, options)
       rules  = parser.consume_rules(:top_level => true)
@@ -122,18 +136,20 @@ module Crass
     # Initializes a parser based on the given _input_, which may be a CSS string
     # or an array of tokens.
     #
-    # See {Tokenizer#initialize} for _options_.
+    # See {Crass.parse} for _options_.
     def initialize(input, options = {})
       unless input.kind_of?(Enumerable)
         input = Tokenizer.tokenize(input, options)
       end
 
+      @depth = 0
+      @maximum_depth = options[:maximum_depth] || DEFAULT_MAXIMUM_DEPTH
       @tokens = TokenScanner.new(input)
     end
 
     # Consumes an at-rule and returns it.
     #
-    # 5.4.2. http://dev.w3.org/csswg/css-syntax-3/#consume-at-rule
+    # 5.4.2. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-at-rule
     def consume_at_rule(input = @tokens)
       rule = {}
 
@@ -180,7 +196,7 @@ module Crass
     # Consumes a component value and returns it, or `nil` if there are no more
     # tokens.
     #
-    # 5.4.6. http://dev.w3.org/csswg/css-syntax-3/#consume-a-component-value
+    # 5.4.6. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-component-value
     def consume_component_value(input = @tokens)
       return nil unless token = input.consume
 
@@ -205,7 +221,7 @@ module Crass
 
     # Consumes a declaration and returns it, or `nil` on parse error.
     #
-    # 5.4.5. http://dev.w3.org/csswg/css-syntax-3/#consume-a-declaration
+    # 5.4.5. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-declaration
     def consume_declaration(input = @tokens)
       declaration = {}
       value       = []
@@ -272,7 +288,7 @@ module Crass
     #   * **:strict** - Set to `true` to exclude non-standard `:comment`,
     #     `:semicolon`, and `:whitespace` nodes.
     #
-    # 5.4.4. http://dev.w3.org/csswg/css-syntax/#consume-a-list-of-declarations
+    # 5.4.4. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-list-of-declarations
     def consume_declarations(input = @tokens, options = {})
       declarations = []
 
@@ -322,38 +338,48 @@ module Crass
 
     # Consumes a function and returns it.
     #
-    # 5.4.8. http://dev.w3.org/csswg/css-syntax-3/#consume-a-function
+    # 5.4.8. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-function
     def consume_function(input = @tokens)
-      function = {
-        :name   => input.current[:value],
-        :value  => [],
-        :tokens => [input.current] # Non-standard, used for serialization.
-      }
-
-      function[:tokens].concat(input.collect {
-        while token = input.consume
-          case token[:node]
-          when :')'
-            break
-
-          # Non-standard.
-          when :comment
-            next
-
-          else
-            input.reconsume
-            function[:value] << consume_component_value(input)
+      @depth += 1
+
+      begin
+        # Discard functions nested more deeply than the maximum allowed depth to
+        # avoid exhausting the Ruby stack on maliciously nested input.
+        return discard_block(input) if @depth > @maximum_depth
+
+        function = {
+          :name   => input.current[:value],
+          :value  => [],
+          :tokens => [input.current] # Non-standard, used for serialization.
+        }
+
+        function[:tokens].concat(input.collect {
+          while token = input.consume
+            case token[:node]
+            when :')'
+              break
+
+            # Non-standard.
+            when :comment
+              next
+
+            else
+              input.reconsume
+              function[:value] << consume_component_value(input)
+            end
           end
-        end
-      })
+        })
 
-      create_node(:function, function)
+        create_node(:function, function)
+      ensure
+        @depth -= 1
+      end
     end
 
     # Consumes a qualified rule and returns it, or `nil` if a parse error
     # occurs.
     #
-    # 5.4.3. http://dev.w3.org/csswg/css-syntax-3/#consume-a-qualified-rule
+    # 5.4.3. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-qualified-rule
     def consume_qualified_rule(input = @tokens)
       rule = {:prelude => []}
 
@@ -394,7 +420,7 @@ module Crass
 
     # Consumes a list of rules and returns them.
     #
-    # 5.4.1. http://dev.w3.org/csswg/css-syntax/#consume-a-list-of-rules
+    # 5.4.1. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-list-of-rules
     def consume_rules(flags = {})
       rules = []
 
@@ -430,28 +456,70 @@ module Crass
     # Consumes and returns a simple block associated with the current input
     # token.
     #
-    # 5.4.7. http://dev.w3.org/csswg/css-syntax/#consume-a-simple-block
+    # 5.4.7. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-simple-block
     def consume_simple_block(input = @tokens)
-      start_token = input.current[:node]
-      end_token   = BLOCK_END_TOKENS[start_token]
+      @depth += 1
 
-      block = {
-        :start  => start_token.to_s,
-        :end    => end_token.to_s,
-        :value  => [],
-        :tokens => [input.current] # Non-standard. Used for serialization.
-      }
+      begin
+        # Discard blocks nested more deeply than the maximum allowed depth to
+        # avoid exhausting the Ruby stack on maliciously nested input.
+        return discard_block(input) if @depth > @maximum_depth
 
-      block[:tokens].concat(input.collect do
-        while token = input.consume
-          break if token[:node] == end_token
+        start_token = input.current[:node]
+        end_token   = BLOCK_END_TOKENS[start_token]
 
-          input.reconsume
-          block[:value] << consume_component_value(input)
+        block = {
+          :start  => start_token.to_s,
+          :end    => end_token.to_s,
+          :value  => [],
+          :tokens => [input.current] # Non-standard. Used for serialization.
+        }
+
+        block[:tokens].concat(input.collect do
+          while token = input.consume
+            break if token[:node] == end_token
+
+            input.reconsume
+            block[:value] << consume_component_value(input)
+          end
+        end)
+
+        create_node(:simple_block, block)
+      ensure
+        @depth -= 1
+      end
+    end
+
+    # Discards an over-nested simple block or function without recursing, then
+    # returns an `:error` node. Assumes `input.current` is the opening token (a
+    # `{`, `[`, `(`, or function token).
+    #
+    # This is reached only when the configured maximum nesting depth is
+    # exceeded. It iteratively consumes tokens up to the matching closing token
+    # (tracking nested blocks and functions with an explicit stack) so that a
+    # deeply nested construct can't exhaust the Ruby stack.
+    def discard_block(input)
+      opening = input.current
+
+      stack = [opening[:node] == :function ? :')' : BLOCK_END_TOKENS[opening[:node]]]
+      tokens = [opening] # Non-standard. Used for serialization.
+
+      tokens.concat(input.collect do
+        until stack.empty?
+          break unless token = input.consume
+
+          case token[:node]
+          when :'{', :'[', :'('
+            stack.push(BLOCK_END_TOKENS[token[:node]])
+          when :function
+            stack.push(:')')
+          when stack.last
+            stack.pop
+          end
         end
       end)
 
-      create_node(:simple_block, block)
+      create_node(:error, :value => 'maximum-depth-exceeded', :tokens => tokens)
     end
 
     # Creates and returns a new parse node with the given _properties_.
@@ -479,7 +547,7 @@ module Crass
 
     # Parses a single component value and returns it.
     #
-    # 5.3.7. http://dev.w3.org/csswg/css-syntax-3/#parse-a-component-value
+    # 5.3.7. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-component-value
     def parse_component_value(input = @tokens)
       input = TokenScanner.new(input) unless input.is_a?(TokenScanner)
 
@@ -506,7 +574,7 @@ module Crass
 
     # Parses a list of component values and returns an array of parsed tokens.
     #
-    # 5.3.8. http://dev.w3.org/csswg/css-syntax/#parse-a-list-of-component-values
+    # 5.3.8. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-list-of-component-values
     def parse_component_values(input = @tokens)
       input  = TokenScanner.new(input) unless input.is_a?(TokenScanner)
       tokens = []
@@ -520,7 +588,7 @@ module Crass
 
     # Parses a single declaration and returns it.
     #
-    # 5.3.5. http://dev.w3.org/csswg/css-syntax/#parse-a-declaration
+    # 5.3.5. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-declaration
     def parse_declaration(input = @tokens)
       input = TokenScanner.new(input) unless input.is_a?(TokenScanner)
 
@@ -548,7 +616,7 @@ module Crass
     #
     # See {#consume_declarations} for _options_.
     #
-    # 5.3.6. http://dev.w3.org/csswg/css-syntax/#parse-a-list-of-declarations
+    # 5.3.6. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-list-of-declarations
     def parse_declarations(input = @tokens, options = {})
       input = TokenScanner.new(input) unless input.is_a?(TokenScanner)
       consume_declarations(input, options)
@@ -582,7 +650,7 @@ module Crass
 
     # Parses a single rule and returns it.
     #
-    # 5.3.4. http://dev.w3.org/csswg/css-syntax-3/#parse-a-rule
+    # 5.3.4. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#parse-a-rule
     def parse_rule(input = @tokens)
       input = TokenScanner.new(input) unless input.is_a?(TokenScanner)
 

data/lib/crass/scanner.rb

@@ -16,6 +16,10 @@ module Crass
 
     # Position of the next character that will be consumed. This is a character
     # position, not a byte position, so it accounts for multi-byte characters.
+    #
+    # Byte offsets (used internally for fast substring extraction) are tracked
+    # separately by the underlying StringScanner, whose `pos` always reflects
+    # the byte offset corresponding to this character position.
     attr_accessor :pos
 
     # String being scanned.
@@ -46,6 +50,11 @@ module Crass
     def consume_rest
       result = @scanner.rest
 
+      # `StringScanner#rest` does not advance the scan pointer, so move it to
+      # the end of the input to keep the byte offset in sync with {#pos}. This
+      # ensures a subsequent {#marked} extracts the correct substring.
+      @scanner.terminate
+
       @current = result[-1]
       @pos     = @len
 
@@ -61,24 +70,31 @@ module Crass
     # Sets the marker to the position of the next character that will be
     # consumed.
     def mark
-      @marker = @pos
+      @byte_marker = @scanner.pos
+      @marker      = @pos
     end
 
     # Returns the substring between {#marker} and {#pos}, without altering the
     # pointer.
     def marked
-      if result = @string[@marker, @pos - @marker]
-        result
-      else
-        ''
-      end
+      # Extract the marked text using byte offsets rather than character
+      # offsets. Slicing the original string by character offset is O(n) on
+      # multi-byte input (Ruby must translate the character index into a byte
+      # index), which makes tokenizing non-ASCII input superlinear. Byte slicing
+      # is O(length) regardless of how far into the string we are.
+      @string.byteslice(@byte_marker, @scanner.pos - @byte_marker) || ''
     end
 
     # Returns up to _length_ characters starting at the current position, but
     # doesn't consume them. The number of characters returned may be less than
     # _length_ if the end of the string is reached.
     def peek(length = 1)
-      @string[pos, length]
+      # Grab the bytes for up to _length_ characters and then take the first
+      # _length_ characters. A UTF-8 character is at most four bytes, so `length
+      # * 4` bytes always contains at least _length_ whole characters when that
+      # many remain. This avoids the O(n) character-offset slice that
+      # `@string[pos, length]` would otherwise perform on multi-byte input.
+      @string.byteslice(@scanner.pos, length * 4).slice(0, length) || ''
     end
 
     # Moves the pointer back one character without changing the value of
@@ -91,10 +107,13 @@ module Crass
 
     # Resets the pointer to the beginning of the string.
     def reset
-      @current = nil
-      @len     = @string.size
-      @marker  = 0
-      @pos     = 0
+      @scanner.reset
+
+      @byte_marker = 0
+      @current     = nil
+      @len         = @string.size
+      @marker      = 0
+      @pos         = 0
     end
 
     # Tries to match _pattern_ at the current position. If it matches, the

data/lib/crass/tokenizer.rb

@@ -5,7 +5,7 @@ module Crass
 
   # Tokenizes a CSS string.
   #
-  # 4. http://dev.w3.org/csswg/css-syntax/#tokenization
+  # 4. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#tokenization
   class Tokenizer
     RE_COMMENT_CLOSE   = /\*\//
     RE_DIGIT           = /[0-9]+/
@@ -66,19 +66,20 @@ module Crass
 
     # Consumes a token and returns the token that was consumed.
     #
-    # 4.3.1. http://dev.w3.org/csswg/css-syntax/#consume-a-token
+    # 4.3.1. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-token
     def consume
-      return nil if @s.eos?
+      # Skip over any comments. When comments aren't being preserved this is
+      # done iteratively rather than recursively so that a long run of adjacent
+      # comments can't exhaust the Ruby stack and raise a `SystemStackError`.
+      loop do
+        return nil if @s.eos?
 
-      @s.mark
+        @s.mark
 
-      # Consume comments.
-      if comment_token = consume_comments
-        if @options[:preserve_comments]
-          return comment_token
-        else
-          return consume
-        end
+        comment_token = consume_comments
+        break unless comment_token
+
+        return comment_token if @options[:preserve_comments]
       end
 
       # Consume whitespace.
@@ -271,7 +272,7 @@ module Crass
 
     # Consumes the remnants of a bad URL and returns the consumed text.
     #
-    # 4.3.15. http://dev.w3.org/csswg/css-syntax/#consume-the-remnants-of-a-bad-url
+    # 4.3.15. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-the-remnants-of-a-bad-url
     def consume_bad_url
       text = String.new
 
@@ -297,7 +298,7 @@ module Crass
 
     # Consumes comments and returns them, or `nil` if no comments were consumed.
     #
-    # 4.3.2. http://dev.w3.org/csswg/css-syntax/#consume-comments
+    # 4.3.2. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-comments
     def consume_comments
       if @s.peek(2) == '/*'
         @s.consume
@@ -322,7 +323,7 @@ module Crass
     # next character in the input has already been verified not to be a newline
     # or EOF.
     #
-    # 4.3.8. http://dev.w3.org/csswg/css-syntax/#consume-an-escaped-code-point
+    # 4.3.8. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-an-escaped-code-point
     def consume_escaped
       return "\ufffd" if @s.eos?
 
@@ -346,7 +347,7 @@ module Crass
 
     # Consumes an ident-like token and returns it.
     #
-    # 4.3.4. http://dev.w3.org/csswg/css-syntax/#consume-an-ident-like-token
+    # 4.3.4. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-an-ident-like-token
     def consume_ident
       value = consume_name
 
@@ -371,7 +372,7 @@ module Crass
 
     # Consumes a name and returns it.
     #
-    # 4.3.12. http://dev.w3.org/csswg/css-syntax/#consume-a-name
+    # 4.3.12. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-name
     def consume_name
       result = String.new
 
@@ -403,7 +404,7 @@ module Crass
     # original representation, its numeric value, and its type (either
     # `:integer` or `:number`).
     #
-    # 4.3.13. http://dev.w3.org/csswg/css-syntax/#consume-a-number
+    # 4.3.13. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-number
     def consume_number
       repr = String.new
       type = :integer
@@ -426,37 +427,46 @@ module Crass
 
     # Consumes a numeric token and returns it.
     #
-    # 4.3.3. http://dev.w3.org/csswg/css-syntax/#consume-a-numeric-token
+    # 4.3.3. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-numeric-token
     def consume_numeric
       number = consume_number
+      repr = number[0]
+      value = number[1]
+      type = number[2]
+
+      if type == :integer
+        value = value.to_i
+      else
+        value = value.to_f
+      end
 
       if start_identifier?(@s.peek(3))
         create_token(:dimension,
-          :repr  => number[0],
-          :type  => number[2],
-          :unit  => consume_name,
-          :value => number[1])
+          :repr => repr,
+          :type => type,
+          :unit => consume_name,
+          :value => value)
 
       elsif @s.peek == '%'
         @s.consume
 
         create_token(:percentage,
-          :repr  => number[0],
-          :type  => number[2],
-          :value => number[1])
+          :repr => repr,
+          :type => type,
+          :value => value)
 
       else
         create_token(:number,
-          :repr  => number[0],
-          :type  => number[2],
-          :value => number[1])
+          :repr => repr,
+          :type => type,
+          :value => value)
       end
     end
 
     # Consumes a string token that ends at the given character, and returns the
     # token.
     #
-    # 4.3.5. http://dev.w3.org/csswg/css-syntax/#consume-a-string-token
+    # 4.3.5. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-string-token
     def consume_string(ending = nil)
       ending = @s.current if ending.nil?
       value  = String.new
@@ -497,7 +507,7 @@ module Crass
     # Consumes a Unicode range token and returns it. Assumes the initial "u+" or
     # "U+" has already been consumed.
     #
-    # 4.3.7. http://dev.w3.org/csswg/css-syntax/#consume-a-unicode-range-token
+    # 4.3.7. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-unicode-range-token
     def consume_unicode_range
       value = @s.scan(RE_HEX) || String.new
 
@@ -529,7 +539,7 @@ module Crass
     # Consumes a URL token and returns it. Assumes the original "url(" has
     # already been consumed.
     #
-    # 4.3.6. http://dev.w3.org/csswg/css-syntax/#consume-a-url-token
+    # 4.3.6. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#consume-a-url-token
     def consume_url
       value = String.new
 
@@ -577,7 +587,7 @@ module Crass
 
     # Converts a valid CSS number string into a number and returns the number.
     #
-    # 4.3.14. http://dev.w3.org/csswg/css-syntax/#convert-a-string-to-a-number
+    # 4.3.14. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#convert-a-string-to-a-number
     def convert_string_to_number(str)
       matches = RE_NUMBER_STR.match(str)
 
@@ -588,9 +598,45 @@ module Crass
       t = matches[:exponent_sign] == '-' ? -1 : 1
       e = matches[:exponent].to_i
 
-      # I know this looks nutty, but it's exactly what's defined in the spec,
-      # and it works.
-      s * (i + f * 10**-d) * 10**(t * e)
+      exponent = t * e
+
+      # Guard against denial of service via attacker-controlled exponentiation.
+      # A tiny input like "1e5000000" would otherwise force Ruby to compute
+      # `10**exponent` (an enormous integer) before the value is clamped below,
+      # consuming disproportionate CPU and memory. When the exponent's magnitude
+      # is far outside the range a finite double can represent, we saturate or
+      # underflow without performing the exponentiation.
+      if i == 0 && f == 0
+        # The mantissa is zero, so the value is zero regardless of the exponent.
+        value = s * 0.0
+
+      elsif exponent - d > Float::MAX_10_EXP + 1
+        # The value is larger than `Float::MAX` and would be clamped anyway.
+        value = s * Float::MAX
+
+      elsif exponent + matches[:integer].length < -325
+        # The value is smaller than the smallest representable double and would
+        # round to zero. (-325 is one less than the smallest subnormal base-10
+        # exponent of roughly -324; `matches[:integer].length` is an upper bound
+        # on the mantissa's magnitude, ensuring we never zero a representable
+        # value.)
+        value = s * 0.0
+
+      else
+        # I know this formula looks nutty, but it's exactly what's defined in
+        # the spec, and it works.
+        value = s * (i + f * 10**-d) * 10**exponent
+
+        # Maximum and minimum values aren't defined in the spec, but are
+        # enforced here for sanity.
+        if value > Float::MAX
+          value = Float::MAX
+        elsif value < -Float::MAX
+          value = -Float::MAX
+        end
+      end
+
+      value
     end
 
     # Creates and returns a new token with the given _properties_.
@@ -604,7 +650,7 @@ module Crass
 
     # Preprocesses _input_ to prepare it for the tokenizer.
     #
-    # 3.3. http://dev.w3.org/csswg/css-syntax/#input-preprocessing
+    # 3.3. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#input-preprocessing
     def preprocess(input)
       input = input.to_s.encode('UTF-8',
         :invalid => :replace,
@@ -619,7 +665,7 @@ module Crass
     # identifier. If _text_ is `nil`, the current and next two characters in the
     # input stream will be checked, but will not be consumed.
     #
-    # 4.3.10. http://dev.w3.org/csswg/css-syntax/#would-start-an-identifier
+    # 4.3.10. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#would-start-an-identifier
     def start_identifier?(text = nil)
       text = @s.current + @s.peek(2) if text.nil?
 
@@ -643,7 +689,7 @@ module Crass
     # If _text_ is `nil`, the current and next two characters in the input
     # stream will be checked, but will not be consumed.
     #
-    # 4.3.11. http://dev.w3.org/csswg/css-syntax/#starts-with-a-number
+    # 4.3.11. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#starts-with-a-number
     def start_number?(text = nil)
       text = @s.current + @s.peek(2) if text.nil?
 
@@ -679,7 +725,7 @@ module Crass
     # valid escape sequence. If _text_ is `nil`, the current and next character
     # in the input stream will be checked, but will not be consumed.
     #
-    # 4.3.9. http://dev.w3.org/csswg/css-syntax/#starts-with-a-valid-escape
+    # 4.3.9. https://www.w3.org/TR/2013/WD-css-syntax-3-20130919/#starts-with-a-valid-escape
     def valid_escape?(text = nil)
       text = @s.current + @s.peek if text.nil?
       !!(text[0] == '\\' && text[1] != "\n")

data/lib/crass/version.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
 
 module Crass
-  VERSION = '1.0.5'
+  VERSION = '1.0.7'
 end

data/lib/crass.rb

@@ -6,7 +6,19 @@ module Crass
 
   # Parses _input_ as a CSS stylesheet and returns a parse tree.
   #
-  # See {Tokenizer#initialize} for _options_.
+  # Options:
+  #
+  #   * **:maximum_depth** - Maximum nesting depth for simple blocks and
+  #     functions. Constructs nested more deeply than this are discarded to
+  #     prevent stack exhaustion. Defaults to {Parser::DEFAULT_MAXIMUM_DEPTH}.
+  #
+  #   * **:preserve_comments** - If `true`, comments will be preserved as
+  #     `:comment` tokens.
+  #
+  #   * **:preserve_hacks** - If `true`, certain non-standard browser hacks
+  #     such as the IE "*" hack will be preserved even though they violate
+  #     CSS 3 syntax rules.
+  #
   def self.parse(input, options = {})
     Parser.parse_stylesheet(input, options)
   end
@@ -14,7 +26,7 @@ module Crass
   # Parses _input_ as a string of CSS properties (such as the contents of an
   # HTML element's `style` attribute) and returns a parse tree.
   #
-  # See {Tokenizer#initialize} for _options_.
+  # See {Crass.parse} for _options_.
   def self.parse_properties(input, options = {})
     Parser.parse_properties(input, options)
   end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: crass
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.0.7
 platform: ruby
 authors:
 - Ryan Grove
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-16 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -16,28 +15,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.0.8
+        version: 6.0.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 5.0.8
+        version: 6.0.6
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 10.1.0
+        version: 13.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 10.1.0
+        version: 13.4.2
 description: Crass is a pure Ruby CSS parser based on the CSS Syntax Level 3 spec.
 email:
 - ryan@wonko.com
@@ -45,8 +44,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/tests.yml"
 - ".gitignore"
-- ".travis.yml"
 - ".yardopts"
 - Gemfile
 - HISTORY.md
@@ -63,8 +62,12 @@ files:
 homepage: https://github.com/rgrove/crass/
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  bug_tracker_uri: https://github.com/rgrove/crass/issues
+  changelog_uri: https://github.com/rgrove/crass/blob/v1.0.7/HISTORY.md
+  documentation_uri: https://www.rubydoc.info/gems/crass/1.0.7
+  rubygems_mfa_required: 'true'
+  source_code_uri: https://github.com/rgrove/crass/tree/v1.0.7
 rdoc_options: []
 require_paths:
 - lib
@@ -79,8 +82,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 4.0.10
 specification_version: 4
 summary: CSS parser based on the CSS Syntax Level 3 spec.
 test_files: []

data/.travis.yml

@@ -1,11 +0,0 @@
-language: ruby
-rvm:
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - ruby-head
-
-matrix:
-  allow_failures:
-    - rvm: ruby-head