RubyGems - dbmlite3 - Versions diffs - 1.0.a5 → 1.0.a6 - Mend

dbmlite3 1.0.a5 → 1.0.a6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7697155e6f50eba81b90d74a4fbf18e8fbcbf0d5058f809a88937a13e4e0f16d
-  data.tar.gz: 9bb6679468e6d9c60df4dc5f0e90a43babc3a910bdb0145d8663d9664ab542f4
+  metadata.gz: d12b628f0823e2d5fd82cc4c42de1065bff042fda9939307e407e2cf68145b27
+  data.tar.gz: 33e48ca6b0d79e1ba34094c75ae4dfb372fe6b04c8d8222ee19d74f63e4032d9
 SHA512:
-  metadata.gz: a9b0750ce7d670c1103ed74da2293d60589b61adcf81fcd3ea26c351e3e5a6810b42c4e8c1d26cafc9abcb6f96b8074f545f0bdbe129e7d0e97fb8a75f2155e3
-  data.tar.gz: 7aac44f9d3ca015220dc46525b58b1338e71e7873956b5f2a1feb99bfd118ad46b3e28e4134c75234a37e7f58fb6d3ffb6d8d936c6db868b4eb68efd3f5d918a
+  metadata.gz: cd7627ee298e9d15bcf01ac49cb386c46a3b7dead470e51719a10aab739b56727dba49c041410bac01add87abf57f9df4468373b4ebeb560bdd5b6b2f092ff17
+  data.tar.gz: 9e94a03983764ae51034d9092ca2a3ea285f3d8a28fc0e999c59edfa901da77aabdba169601fc8001841c632d95b2fd6ff726bee75159c4c1844c6c22dee1c35

data/README.md CHANGED Viewed

@@ -102,6 +102,15 @@ If you need to do a large number of accesses in a short amount of
 time (e.g. loading data from a file), it is significantly faster to
 do these in batches in one or more transactions.
+### Serialization Safety
+`Lite3::DBM` stores Ruby data by first serializing values using the
+`Marshal` or `Psych` modules.  This can pose a security risk if an
+untrusted third party has direct access to the underlying SQLite3
+database.  This tends to be pretty rare for most use-cases but if it
+is a concern, you can always configure `Lite3::DBM` to store its
+values as plain strings.
 ### Forking safely
 It is a documented limitation of SQLite3 that database objects

data/dbmlite3.gemspec CHANGED Viewed

@@ -3,7 +3,7 @@
 Gem::Specification.new do |s|
   s.name        = 'dbmlite3'
-  s.version     = '1.0.a5'
+  s.version     = '1.0.a6'
   s.date        = '2022-02-21'
   s.summary     = "A DBM-style key-value store using SQLite3"
   s.description = <<-EOF
@@ -26,7 +26,7 @@ EOF
                   Dir.glob('doc/**/*') +
                   Dir.glob('{spec,lib}/*.rb')
-  s.required_ruby_version = '>= 2.7.0'
+  s.required_ruby_version = '>= 2.2.0'
   s.requirements << "sqlite3, the usual devtools"
   s.add_runtime_dependency "sqlite3", '~> 1.4'

data/doc/Lite3/DBM.html CHANGED Viewed

@@ -144,9 +144,15 @@ string.  you will need to do this instead:</p>
 <p>Unlike DBM, values may (optionally) be any serializable Ruby type.</p>
 <p>You can select the serialization method with an optional third
-constructor argument.  Options are <code>YAML</code> (the default), <code>Marshal</code>
-or simple string conversion with <code>to_s</code>.  Each of these methods will
-have their own pros and cons.</p>
+constructor argument.  Options are YAML (the default), <code>Marshal</code>
+or simple string conversion with <code>to_s</code>.  Each of these methods
+will have their own pros and cons.</p>
+<p><strong>WARNING:</strong> Both YAML and Marshal serialization have the usual
+security caveats as described in the documentation for <code>Marshal</code>
+and <code>Psych</code>.  If you are going to let an untrusted entity modify
+the database, you should not use these methods and instead stick
+to string conversion.</p>
 <p>The table name must be a valid name identifier (i.e. matches
 /^[a-zA-Z_]\w*$/).</p>
@@ -912,16 +918,17 @@ serialization method for converting Ruby values into storable
 strings.  There are three options:</p>
 <ul>
-<li><code>:yaml</code> uses the <code>YAML</code> module.</li>
+<li><code>:yaml</code> uses the <code>Psych</code> module.</li>
 <li><code>:marshal</code> uses the <code>Marshal</code> module.</li>
 <li><code>:string</code> simply uses the default <code>to_s</code> method, just like the
 stock <code>DBM</code>.</li>
 </ul>
 <p>Each of these will have their pros and cons.  The default is
-<code>:yaml</code> because that is the most portable across Ruby versions.
-<code>:marshal</code> tends to be faster but is not stable across Ruby
-versions.  Note that <code>DBM</code> does not check your Marshal version.</p>
+<code>:yaml</code> because that is the most portable.  <code>:marshal</code> tends to
+be faster but is incompatible across minor Ruby versions.</p>
+<p>(Note that <code>DBM</code> does not check your Marshal version.)</p>
 <p>Your serializer choice is registered in a metadata table when
 <code>tablename</code> is created in the SQLite3 file.  Afterward, it is an
@@ -940,13 +947,6 @@ and will result in a Lite3::Error exception.</p>
       <pre class="lines">
-409
-410
-411
-412
-413
-414
-415
 416
 417
 418
@@ -960,10 +960,17 @@ and will result in a Lite3::Error exception.</p>
 426
 427
 428
-429</pre>
+429
+430
+431
+432
+433
+434
+435
+436</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 409</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 416</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_initialize'>initialize</span><span class='lparen'>(</span><span class='id identifier rubyid_filename'>filename</span><span class='comma'>,</span> <span class='id identifier rubyid_tablename'>tablename</span><span class='comma'>,</span> <span class='id identifier rubyid_serializer'>serializer</span> <span class='op'>=</span> <span class='symbol'>:yaml</span><span class='rparen'>)</span>
   <span class='ivar'>@filename</span> <span class='op'>=</span> <span class='id identifier rubyid_filename'>filename</span>
@@ -1025,19 +1032,19 @@ This is analagous to <code>File.open</code>.</p>
       <pre class="lines">
-435
-436
-437
-438
-439
-440
-441
 442
 443
-444</pre>
+444
+445
+446
+447
+448
+449
+450
+451</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 435</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 442</span>
 <span class='kw'>def</span> <span class='kw'>self</span><span class='period'>.</span><span class='id identifier rubyid_open'>open</span><span class='lparen'>(</span><span class='id identifier rubyid_filename'>filename</span><span class='comma'>,</span> <span class='id identifier rubyid_tablename'>tablename</span><span class='comma'>,</span> <span class='id identifier rubyid_serializer'>serializer</span> <span class='op'>=</span> <span class='symbol'>:yaml</span><span class='comma'>,</span> <span class='op'>&amp;</span><span class='id identifier rubyid_block'>block</span><span class='rparen'>)</span>
   <span class='id identifier rubyid_instance'>instance</span> <span class='op'>=</span> <span class='kw'>self</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_filename'>filename</span><span class='comma'>,</span> <span class='id identifier rubyid_tablename'>tablename</span><span class='comma'>,</span> <span class='id identifier rubyid_serializer'>serializer</span><span class='rparen'>)</span>
@@ -1086,12 +1093,12 @@ nil if it is not present.</p>
       <pre class="lines">
-644
-645
-646</pre>
+662
+663
+664</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 644</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 662</span>
 <span class='kw'>def</span> <span class='op'>[]</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='id identifier rubyid_fetch'>fetch</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='kw'>nil</span><span class='rparen'>)</span>
@@ -1135,24 +1142,6 @@ serialization method you have chosen.</p>
       <pre class="lines">
-597
-598
-599
-600
-601
-602
-603
-604
-605
-606
-607
-608
-609
-610
-611
-612
-613
-614
 615
 616
 617
@@ -1177,17 +1166,35 @@ serialization method you have chosen.</p>
 636
 637
 638
-639</pre>
+639
+640
+641
+642
+643
+644
+645
+646
+647
+648
+649
+650
+651
+652
+653
+654
+655
+656
+657</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 597</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 615</span>
 <span class='kw'>def</span> <span class='op'>[]=</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='id identifier rubyid_value'>value</span><span class='rparen'>)</span>
   <span class='id identifier rubyid_key'>key</span> <span class='op'>=</span> <span class='id identifier rubyid_check_key'>check_key</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='rparen'>)</span>
   <span class='id identifier rubyid_valstr'>valstr</span> <span class='op'>=</span> <span class='const'>SQLite3</span><span class='op'>::</span><span class='const'>Blob</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span> <span class='ivar'>@valenc</span><span class='period'>.</span><span class='id identifier rubyid_call'>call</span><span class='lparen'>(</span><span class='id identifier rubyid_value'>value</span><span class='rparen'>)</span> <span class='rparen'>)</span>
   <span class='comment'># At one point, this operation was done with SQLite3&#39;s UPSERT:
-</span>  <span class='comment'>#
+</span>  <span class='comment'>#
 </span>  <span class='comment'>#     insert into #{actual_tbl} (key, value) values (?,?)
 </span>  <span class='comment'>#         on conflict(key) do update set value = ?;
 </span>  <span class='comment'>#
@@ -1198,7 +1205,7 @@ serialization method you have chosen.</p>
 </span>  <span class='comment'>#
 </span>  <span class='comment'># The venerable `insert or replace` feature **almost** does what
 </span>  <span class='comment'># I want:
-</span>  <span class='comment'>#
+</span>  <span class='comment'>#
 </span>  <span class='comment'>#   insert or replace into #{actual_tbl} (key, value) values (?, ?);
 </span>  <span class='comment'>#
 </span>  <span class='comment'># The one problem is that it changes the order of the rows,
@@ -1255,12 +1262,12 @@ serialization method you have chosen.</p>
       <pre class="lines">
-728
-729
-730</pre>
+746
+747
+748</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 728</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 746</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_clear'>clear</span>
   <span class='id identifier rubyid_transaction'>transaction</span> <span class='lbrace'>{</span> <span class='ivar'>@handle</span><span class='period'>.</span><span class='id identifier rubyid_sql'>sql</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>delete from </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_actual_tbl'>actual_tbl</span><span class='embexpr_end'>}</span><span class='tstring_content'>;</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span><span class='rbracket'>]</span><span class='rparen'>)</span> <span class='rbrace'>}</span>
@@ -1300,13 +1307,13 @@ no other <code>DBM</code> objects using that file.</p>
       <pre class="lines">
-532
-533
-534
-535</pre>
+550
+551
+552
+553</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 532</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 550</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_close'>close</span>
   <span class='ivar'>@handle</span><span class='period'>.</span><span class='id identifier rubyid_delref'>delref</span><span class='lparen'>(</span><span class='kw'>self</span><span class='rparen'>)</span>
@@ -1356,12 +1363,12 @@ closed <code>DBM</code>.</p>
       <pre class="lines">
-539
-540
-541</pre>
+557
+558
+559</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 539</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 557</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_closed?'>closed?</span><span class='lparen'>(</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='ivar'>@handle</span><span class='period'>.</span><span class='id identifier rubyid_is_a?'>is_a?</span> <span class='const'>ClosedHandle</span>
@@ -1397,14 +1404,14 @@ not present, does nothing.</p>
       <pre class="lines">
-817
-818
-819
-820
-821</pre>
+835
+836
+837
+838
+839</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 817</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 835</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_delete'>delete</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='rparen'>)</span>
   <span class='id identifier rubyid_transaction'>transaction</span> <span class='lbrace'>{</span>
@@ -1463,14 +1470,14 @@ each entry for which the block returns true.</p>
       <pre class="lines">
-827
-828
-829
-830
-831</pre>
+845
+846
+847
+848
+849</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 827</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 845</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_delete_if'>delete_if</span><span class='lparen'>(</span><span class='op'>&amp;</span><span class='id identifier rubyid_block'>block</span><span class='rparen'>)</span>
   <span class='id identifier rubyid_transaction'>transaction</span> <span class='lbrace'>{</span>
@@ -1535,14 +1542,14 @@ own transaction.</p>
       <pre class="lines">
-742
-743
-744
-745
-746</pre>
+760
+761
+762
+763
+764</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 742</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 760</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_each'>each</span><span class='lparen'>(</span><span class='op'>&amp;</span><span class='id identifier rubyid_block'>block</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='kw'>self</span><span class='period'>.</span><span class='id identifier rubyid_to_enum'>to_enum</span><span class='lparen'>(</span><span class='symbol'>:nt_each</span><span class='rparen'>)</span> <span class='kw'>unless</span> <span class='id identifier rubyid_block'>block</span>
@@ -1597,13 +1604,13 @@ own transaction.</p>
       <pre class="lines">
-792
-793
-794
-795</pre>
+810
+811
+812
+813</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 792</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 810</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_each_key'>each_key</span><span class='lparen'>(</span><span class='op'>&amp;</span><span class='id identifier rubyid_block'>block</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='const'>Enumerator</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lbrace'>{</span><span class='op'>|</span><span class='id identifier rubyid_y'>y</span><span class='op'>|</span> <span class='id identifier rubyid_nt_each'>nt_each</span><span class='lbrace'>{</span> <span class='op'>|</span><span class='id identifier rubyid_k'>k</span><span class='comma'>,</span><span class='id identifier rubyid_v'>v</span><span class='op'>|</span> <span class='id identifier rubyid_y'>y</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_k'>k</span>  <span class='rbrace'>}</span> <span class='rbrace'>}</span> <span class='kw'>unless</span> <span class='id identifier rubyid_block'>block</span>
@@ -1657,13 +1664,13 @@ own transaction.</p>
       <pre class="lines">
-801
-802
-803
-804</pre>
+819
+820
+821
+822</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 801</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 819</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_each_value'>each_value</span><span class='lparen'>(</span><span class='op'>&amp;</span><span class='id identifier rubyid_block'>block</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='const'>Enumerator</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lbrace'>{</span><span class='op'>|</span><span class='id identifier rubyid_y'>y</span><span class='op'>|</span> <span class='id identifier rubyid_nt_each'>nt_each</span><span class='lbrace'>{</span> <span class='op'>|</span><span class='id identifier rubyid_k'>k</span><span class='comma'>,</span><span class='id identifier rubyid_v'>v</span><span class='op'>|</span> <span class='id identifier rubyid_y'>y</span> <span class='op'>&lt;&lt;</span> <span class='id identifier rubyid_v'>v</span>  <span class='rbrace'>}</span> <span class='rbrace'>}</span> <span class='kw'>unless</span> <span class='id identifier rubyid_block'>block</span>
@@ -1712,12 +1719,12 @@ own transaction.</p>
       <pre class="lines">
-844
-845
-846</pre>
+862
+863
+864</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 844</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 862</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_empty?'>empty?</span>
   <span class='kw'>return</span> <span class='id identifier rubyid_size'>size</span> <span class='op'>==</span> <span class='int'>0</span>
@@ -1793,24 +1800,6 @@ exception.</p>
       <pre class="lines">
-662
-663
-664
-665
-666
-667
-668
-669
-670
-671
-672
-673
-674
-675
-676
-677
-678
-679
 680
 681
 682
@@ -1819,10 +1808,28 @@ exception.</p>
 685
 686
 687
-688</pre>
+688
+689
+690
+691
+692
+693
+694
+695
+696
+697
+698
+699
+700
+701
+702
+703
+704
+705
+706</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 662</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 680</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_fetch'>fetch</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='comma'>,</span> <span class='op'>*</span><span class='id identifier rubyid_args'>args</span><span class='comma'>,</span> <span class='op'>&amp;</span><span class='id identifier rubyid_default_block'>default_block</span><span class='rparen'>)</span>
@@ -1898,12 +1905,12 @@ to help with unit tests.</p>
       <pre class="lines">
-548
-549
-550</pre>
+566
+567
+568</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 548</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 566</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_handle_closed?'>handle_closed?</span>
   <span class='kw'>return</span> <span class='ivar'>@handle</span><span class='period'>.</span><span class='id identifier rubyid_closed?'>closed?</span>
@@ -1956,14 +1963,14 @@ to help with unit tests.</p>
       <pre class="lines">
-718
-719
-720
-721
-722</pre>
+736
+737
+738
+739
+740</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 718</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 736</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_has_key?'>has_key?</span><span class='lparen'>(</span><span class='id identifier rubyid_key'>key</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='kw'>false</span> <span class='kw'>unless</span> <span class='id identifier rubyid_key'>key</span><span class='period'>.</span><span class='id identifier rubyid_class'>class</span> <span class='op'>==</span> <span class='const'>String</span> <span class='op'>||</span> <span class='id identifier rubyid_key'>key</span><span class='period'>.</span><span class='id identifier rubyid_class'>class</span> <span class='op'>==</span> <span class='const'>Symbol</span>
@@ -2019,13 +2026,13 @@ to help with unit tests.</p>
       <pre class="lines">
-887
-888
-889
-890</pre>
+905
+906
+907
+908</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 887</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 905</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_has_value?'>has_value?</span><span class='lparen'>(</span><span class='id identifier rubyid_val'>val</span><span class='rparen'>)</span>
   <span class='kw'>self</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span><span class='lbrace'>{</span><span class='op'>|</span><span class='id identifier rubyid_k'>k</span><span class='comma'>,</span><span class='id identifier rubyid_v'>v</span><span class='op'>|</span> <span class='kw'>return</span> <span class='kw'>true</span> <span class='kw'>if</span> <span class='id identifier rubyid_v'>v</span> <span class='op'>==</span> <span class='id identifier rubyid_val'>val</span><span class='rbrace'>}</span>
@@ -2066,14 +2073,14 @@ program.</p>
       <pre class="lines">
-899
-900
-901
-902
-903</pre>
+917
+918
+919
+920
+921</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 899</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 917</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_invert'>invert</span>
   <span class='id identifier rubyid_result'>result</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
@@ -2113,14 +2120,14 @@ that the result could exceed available memory.</p>
       <pre class="lines">
-700
-701
-702
-703
-704</pre>
+718
+719
+720
+721
+722</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 700</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 718</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_keys'>keys</span>
   <span class='id identifier rubyid_keys'>keys</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='rbracket'>]</span>
@@ -2159,19 +2166,19 @@ as determined by SQLite3.</p>
       <pre class="lines">
-908
-909
-910
-911
-912
-913
-914
-915
-916
-917</pre>
+926
+927
+928
+929
+930
+931
+932
+933
+934
+935</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 908</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 926</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_shift'>shift</span>
   <span class='id identifier rubyid_transaction'>transaction</span> <span class='lbrace'>{</span>
@@ -2217,15 +2224,15 @@ as determined by SQLite3.</p>
       <pre class="lines">
-835
-836
-837
-838
-839
-840</pre>
+853
+854
+855
+856
+857
+858</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 835</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 853</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_size'>size</span>
   <span class='ivar'>@handle</span><span class='period'>.</span><span class='id identifier rubyid_sql'>sql</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>select count(*) from </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_actual_tbl'>actual_tbl</span><span class='embexpr_end'>}</span><span class='tstring_content'>;</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='lbracket'>[</span><span class='rbracket'>]</span><span class='rparen'>)</span> <span class='lbrace'>{</span> <span class='op'>|</span><span class='id identifier rubyid_row'>row</span><span class='op'>|</span>
@@ -2268,14 +2275,14 @@ program.</p>
       <pre class="lines">
-872
-873
-874
-875
-876</pre>
+890
+891
+892
+893
+894</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 872</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 890</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_to_a'>to_a</span>
   <span class='id identifier rubyid_result'>result</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='rbracket'>]</span>
@@ -2316,14 +2323,14 @@ program.</p>
       <pre class="lines">
-859
-860
-861
-862
-863</pre>
+877
+878
+879
+880
+881</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 859</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 877</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_to_hash'>to_hash</span>
   <span class='id identifier rubyid_result'>result</span> <span class='op'>=</span> <span class='lbrace'>{</span><span class='rbrace'>}</span>
@@ -2354,14 +2361,14 @@ program.</p>
       <pre class="lines">
-519
-520
-521
-522
-523</pre>
+537
+538
+539
+540
+541</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 519</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 537</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_to_s'>to_s</span>
   <span class='id identifier rubyid_openstr'>openstr</span> <span class='op'>=</span> <span class='id identifier rubyid_closed?'>closed?</span> <span class='op'>?</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>CLOSED</span><span class='tstring_end'>&#39;</span></span> <span class='op'>:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>OPEN</span><span class='tstring_end'>&#39;</span></span>
@@ -2429,12 +2436,12 @@ argument.</p>
       <pre class="lines">
-576
-577
-578</pre>
+594
+595
+596</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 576</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 594</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_transaction'>transaction</span><span class='lparen'>(</span><span class='op'>&amp;</span><span class='id identifier rubyid_block'>block</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='ivar'>@handle</span><span class='period'>.</span><span class='id identifier rubyid_transaction'>transaction</span> <span class='lbrace'>{</span> <span class='id identifier rubyid_block'>block</span><span class='period'>.</span><span class='id identifier rubyid_call'>call</span><span class='lparen'>(</span><span class='kw'>self</span><span class='rparen'>)</span> <span class='rbrace'>}</span>
@@ -2482,12 +2489,12 @@ argument.</p>
       <pre class="lines">
-581
-582
-583</pre>
+599
+600
+601</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 581</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 599</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_transaction_active?'>transaction_active?</span>
   <span class='kw'>return</span> <span class='ivar'>@handle</span><span class='period'>.</span><span class='id identifier rubyid_transaction_active?'>transaction_active?</span>
@@ -2524,14 +2531,14 @@ including <code>Hash</code> and <code>DBM</code> objects.</p>
       <pre class="lines">
-809
-810
-811
-812
-813</pre>
+827
+828
+829
+830
+831</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 809</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 827</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_update'>update</span><span class='lparen'>(</span><span class='id identifier rubyid_hash'>hash</span><span class='rparen'>)</span>
   <span class='id identifier rubyid_transaction'>transaction</span> <span class='lbrace'>{</span>
@@ -2571,14 +2578,14 @@ that the result could exceed available memory.</p>
       <pre class="lines">
-710
-711
-712
-713
-714</pre>
+728
+729
+730
+731
+732</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 710</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 728</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_values'>values</span>
   <span class='id identifier rubyid_values'>values</span> <span class='op'>=</span> <span class='lbracket'>[</span><span class='rbracket'>]</span>
@@ -2616,12 +2623,12 @@ given keys.</p>
       <pre class="lines">
-692
-693
-694</pre>
+710
+711
+712</pre>
     </td>
     <td>
-      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 692</span>
+      <pre class="code"><span class="info file"># File 'lib/dbmlite3.rb', line 710</span>
 <span class='kw'>def</span> <span class='id identifier rubyid_values_at'>values_at</span><span class='lparen'>(</span><span class='op'>*</span><span class='id identifier rubyid_keys'>keys</span><span class='rparen'>)</span>
   <span class='kw'>return</span> <span class='id identifier rubyid_keys'>keys</span><span class='period'>.</span><span class='id identifier rubyid_map'>map</span><span class='lbrace'>{</span><span class='op'>|</span><span class='id identifier rubyid_k'>k</span><span class='op'>|</span> <span class='kw'>self</span><span class='lbracket'>[</span><span class='id identifier rubyid_k'>k</span><span class='rbracket'>]</span><span class='rbrace'>}</span>
@@ -2636,7 +2643,7 @@ given keys.</p>
 </div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:57 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/doc/Lite3/Error.html CHANGED Viewed

@@ -125,7 +125,7 @@
 </div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:56 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/doc/Lite3/SQL.html CHANGED Viewed

@@ -380,7 +380,7 @@ thread safe.  Just a wrapper around <code>SQLite3.threadsafe?</code></p>
 </div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:56 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/doc/Lite3.html CHANGED Viewed

@@ -107,7 +107,7 @@
 </div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:56 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/doc/_index.html CHANGED Viewed

@@ -142,7 +142,7 @@
 </div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:56 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/doc/file.README.html CHANGED Viewed

@@ -163,6 +163,15 @@ only one program accesses the table at a time.</p>
 time (e.g. loading data from a file), it is significantly faster to
 do these in batches in one or more transactions.</p>
+<h3 id="serialization-safety">Serialization Safety</h3>
+<p><code>Lite3::DBM</code> stores Ruby data by first serializing values using the
+<code>Marshal</code> or <code>Psych</code> modules.  This can pose a security risk if an
+untrusted third party has direct access to the underlying SQLite3
+database.  This tends to be pretty rare for most use-cases but if it
+is a concern, you can always configure <code>Lite3::DBM</code> to store its
+values as plain strings.</p>
 <h3 id="forking-safely">Forking safely</h3>
 <p>It is a documented limitation of SQLite3 that database objects
@@ -193,7 +202,7 @@ make sense of them.</p>
 </div></div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:56 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/doc/index.html CHANGED Viewed

@@ -163,6 +163,15 @@ only one program accesses the table at a time.</p>
 time (e.g. loading data from a file), it is significantly faster to
 do these in batches in one or more transactions.</p>
+<h3 id="serialization-safety">Serialization Safety</h3>
+<p><code>Lite3::DBM</code> stores Ruby data by first serializing values using the
+<code>Marshal</code> or <code>Psych</code> modules.  This can pose a security risk if an
+untrusted third party has direct access to the underlying SQLite3
+database.  This tends to be pretty rare for most use-cases but if it
+is a concern, you can always configure <code>Lite3::DBM</code> to store its
+values as plain strings.</p>
 <h3 id="forking-safely">Forking safely</h3>
 <p>It is a documented limitation of SQLite3 that database objects
@@ -193,7 +202,7 @@ make sense of them.</p>
 </div></div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:56 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/doc/top-level-namespace.html CHANGED Viewed

@@ -100,7 +100,7 @@
 </div>
       <div id="footer">
-  Generated on Sat Feb 26 11:47:56 2022 by
+  Generated on Sat Feb 26 14:54:02 2022 by
   <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.25 (ruby-2.7.0).
 </div>

data/lib/dbmlite3.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 gem "sqlite3", "~> 1.4"
 require 'sqlite3'
-require 'yaml'
+require 'psych'
 require 'set'
@@ -344,9 +344,15 @@ module Lite3
   # Unlike DBM, values may (optionally) be any serializable Ruby type.
   #
   # You can select the serialization method with an optional third
-  # constructor argument.  Options are `YAML` (the default), `Marshal`
-  # or simple string conversion with `to_s`.  Each of these methods will
-  # have their own pros and cons.
+  # constructor argument.  Options are YAML (the default), `Marshal`
+  # or simple string conversion with `to_s`.  Each of these methods
+  # will have their own pros and cons.
+  #
+  # **WARNING:** Both YAML and Marshal serialization have the usual
+  # security caveats as described in the documentation for `Marshal`
+  # and `Psych`.  If you are going to let an untrusted entity modify
+  # the database, you should not use these methods and instead stick
+  # to string conversion.
   #
   # The table name must be a valid name identifier (i.e. matches
   # /^[a-zA-Z_]\w*$/).
@@ -391,15 +397,16 @@ module Lite3
     # serialization method for converting Ruby values into storable
     # strings.  There are three options:
     #
-    # * `:yaml` uses the `YAML` module.
+    # * `:yaml` uses the `Psych` module.
     # * `:marshal` uses the `Marshal` module.
     # * `:string` simply uses the default `to_s` method, just like the
     #   stock `DBM`.
     #
     # Each of these will have their pros and cons.  The default is
-    # `:yaml` because that is the most portable across Ruby versions.
-    # `:marshal` tends to be faster but is not stable across Ruby
-    # versions.  Note that `DBM` does not check your Marshal version.
+    # `:yaml` because that is the most portable.  `:marshal` tends to
+    # be faster but is incompatible across minor Ruby versions.
+    #
+    # (Note that `DBM` does not check your Marshal version.)
     #
     # Your serializer choice is registered in a metadata table when
     # `tablename` is created in the SQLite3 file.  Afterward, it is an
@@ -450,8 +457,19 @@ module Lite3
     def value_encoders(serializer)
       case serializer
       when :yaml
-        enc = proc{ |val| YAML.dump(val) }
-        dec = proc{ |val| YAML.load(val) }
+        enc = proc{ |val| Psych.dump(val) }
+        # Psych (and module YAML) has gradually moved from defaulting
+        # from unsafe loading to safe loading. This is a pain for us
+        # because old versions don't provide `unsafe_load` as an alias
+        # to `load` and new versions default `load` to `safe_load`.
+        # So we have to do this thing to pick `unsafe_load` if it's
+        # available and `load` otherwise.
+        if Psych.respond_to? :unsafe_load
+          dec = proc{ |val| Psych.unsafe_load(val) }
+        else
+          dec = proc{ |val| Psych.load(val) }
+        end
       when :marshal
         enc = proc { |val| Marshal.dump(val) }
@@ -599,7 +617,7 @@ SQL
       valstr = SQLite3::Blob.new( @valenc.call(value) )
       # At one point, this operation was done with SQLite3's UPSERT:
-      #
+      #
       #     insert into #{actual_tbl} (key, value) values (?,?)
       #         on conflict(key) do update set value = ?;
       #
@@ -610,7 +628,7 @@ SQL
       #
       # The venerable `insert or replace` feature **almost** does what
       # I want:
-      #
+      #
       #   insert or replace into #{actual_tbl} (key, value) values (?, ?);
       #
       # The one problem is that it changes the order of the rows,

data/spec/dbmlite3_spec.rb CHANGED Viewed

@@ -132,7 +132,7 @@ Serializations = Set.new
       db["quux"] = 123
       db["foo"] = 88
       expect( db.keys ) .to eq %w{foo bar quux}
       expect( db.values ) .to eq [88, 99, 123]
@@ -957,15 +957,12 @@ describe Lite3::SQL do
     expect( db1.closed? ) .to be true
     expect( db1.to_s.class ) .to be String
-    # Everything else shoudl raise an error
+    # Everything else should raise an error
     expect{ db1["foo"] } .to raise_error Lite3::Error
     expect{ db1["foo"] = 42 } .to raise_error Lite3::Error
     expect{ db1.each{} } .to raise_error Lite3::Error
     expect{ db1.size } .to raise_error Lite3::Error
     expect{ db1.to_a } .to raise_error Lite3::Error
-    # Ensure we haven't accidentally overridded superclass methods.
-    expect( db1.object_id.class ) .to be Integer
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dbmlite3
 version: !ruby/object:Gem::Version
-  version: 1.0.a5
+  version: 1.0.a6
 platform: ruby
 authors:
 - Chris Reuter
@@ -116,7 +116,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 2.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">"