faraday_middleware_safeyaml 0.12.pre.safeyaml

data/lib/faraday_middleware/response/parse_dates.rb

@@ -0,0 +1,39 @@
+require "time"
+require "faraday"
+
+module FaradayMiddleware
+  # Parse dates from response body
+  class ParseDates < ::Faraday::Response::Middleware
+    ISO_DATE_FORMAT = /\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?(Z|((\+|-)\d{2}:?\d{2}))\Z/m
+
+    def initialize(app, options = {})
+      @regexp = options[:match] || ISO_DATE_FORMAT
+      super(app)
+    end
+
+    def call(env)
+      response = @app.call(env)
+      parse_dates! response.env[:body]
+      response
+    end
+
+    private
+
+    def parse_dates!(value)
+      case value
+      when Hash
+        value.each do |key, element|
+          value[key] = parse_dates!(element)
+        end
+      when Array
+        value.each_with_index do |element, index|
+          value[index] = parse_dates!(element)
+        end
+      when @regexp
+        Time.parse(value)
+      else
+        value
+      end
+    end
+  end
+end

data/lib/faraday_middleware/response/parse_json.rb

@@ -0,0 +1,50 @@
+require 'faraday_middleware/response_middleware'
+
+module FaradayMiddleware
+  # Public: Parse response bodies as JSON.
+  class ParseJson < ResponseMiddleware
+    dependency do
+      require 'json' unless defined?(::JSON)
+    end
+
+    define_parser do |body|
+      ::JSON.parse body unless body.strip.empty?
+    end
+
+    # Public: Override the content-type of the response with "application/json"
+    # if the response body looks like it might be JSON, i.e. starts with an
+    # open bracket.
+    #
+    # This is to fix responses from certain API providers that insist on serving
+    # JSON with wrong MIME-types such as "text/javascript".
+    class MimeTypeFix < ResponseMiddleware
+      MIME_TYPE = 'application/json'.freeze
+
+      def process_response(env)
+        old_type = env[:response_headers][CONTENT_TYPE].to_s
+        new_type = MIME_TYPE.dup
+        new_type << ';' << old_type.split(';', 2).last if old_type.index(';')
+        env[:response_headers][CONTENT_TYPE] = new_type
+      end
+
+      BRACKETS = %w- [ { -
+      WHITESPACE = [ " ", "\n", "\r", "\t" ]
+
+      def parse_response?(env)
+        super and BRACKETS.include? first_char(env[:body])
+      end
+
+      def first_char(body)
+        idx = -1
+        begin
+          char = body[idx += 1]
+          char = char.chr if char
+        end while char and WHITESPACE.include? char
+        char
+      end
+    end
+  end
+end
+
+# deprecated alias
+Faraday::Response::ParseJson = FaradayMiddleware::ParseJson

data/lib/faraday_middleware/response/parse_marshal.rb

@@ -0,0 +1,13 @@
+require 'faraday_middleware/response_middleware'
+
+module FaradayMiddleware
+  # Public: Restore marshalled Ruby objects in response bodies.
+  class ParseMarshal < ResponseMiddleware
+    define_parser do |body|
+      ::Marshal.load body unless body.empty?
+    end
+  end
+end
+
+# deprecated alias
+Faraday::Response::ParseMarshal = FaradayMiddleware::ParseMarshal

data/lib/faraday_middleware/response/parse_xml.rb

@@ -0,0 +1,15 @@
+require 'faraday_middleware/response_middleware'
+
+module FaradayMiddleware
+  # Public: parses response bodies with MultiXml.
+  class ParseXml < ResponseMiddleware
+    dependency 'multi_xml'
+
+    define_parser do |body|
+      ::MultiXml.parse(body)
+    end
+  end
+end
+
+# deprecated alias
+Faraday::Response::ParseXml = FaradayMiddleware::ParseXml

data/lib/faraday_middleware/response/parse_yaml.rb

@@ -0,0 +1,38 @@
+require 'faraday_middleware/response_middleware'
+
+module FaradayMiddleware
+  # Public: Parse response bodies as YAML.
+  #
+  # Warning: This is not backwards compatible with versions of this middleware prior to
+  # faraday_middleware v0.12 - prior to this version, we used YAML.load rather than
+  # YAMl.safe_load, which exposes serious remote code execution risks - see
+  # https://github.com/ruby/psych/issues/119 for details. If you're sure you can trust
+  # YAML you're passing, you can set up an unsafe version of this middleware as follows:
+  #
+  #     class UnsafelyParseYaml < FaradayMiddleware::ResponseMiddleware
+  #       dependency do
+  #         require 'yaml'
+  #       end
+  #
+  #       define_parser do |body|
+  #         YAML.load body
+  #       end
+  #     end
+  #
+  #     Faraday.new(..) do |config|
+  #       config.use UnsafelyParseYaml
+  #       ...
+  #     end
+  class ParseYaml < ResponseMiddleware
+    dependency do
+      require 'safe_yaml/load'
+    end
+
+    define_parser do |body|
+      SafeYAML.load body
+    end
+  end
+end
+
+# deprecated alias
+Faraday::Response::ParseYaml = FaradayMiddleware::ParseYaml

data/lib/faraday_middleware/response/rashify.rb

@@ -0,0 +1,15 @@
+require 'faraday_middleware/response/mashify'
+
+module FaradayMiddleware
+  # Public: Converts parsed response bodies to a Hashie::Rash if they were of
+  # Hash or Array type.
+  class Rashify < Mashify
+    dependency do
+      require 'rash'
+      self.mash_class = ::Hashie::Rash
+    end
+  end
+end
+
+# deprecated alias
+Faraday::Response::Rashify = FaradayMiddleware::Rashify

data/lib/faraday_middleware/response_middleware.rb

@@ -0,0 +1,112 @@
+require 'faraday'
+
+module FaradayMiddleware
+  # Internal: The base class for middleware that parses responses.
+  class ResponseMiddleware < Faraday::Middleware
+    CONTENT_TYPE = 'Content-Type'.freeze
+
+    class << self
+      attr_accessor :parser
+    end
+
+    # Store a Proc that receives the body and returns the parsed result.
+    def self.define_parser(parser = nil)
+      @parser = parser || Proc.new
+    end
+
+    def self.inherited(subclass)
+      super
+      subclass.load_error = self.load_error if subclass.respond_to? :load_error=
+      subclass.parser = self.parser
+    end
+
+    def initialize(app = nil, options = {})
+      super(app)
+      @options = options
+      @content_types = Array(options[:content_type])
+    end
+
+    def call(environment)
+      @app.call(environment).on_complete do |env|
+        if process_response_type?(response_type(env)) and parse_response?(env)
+          process_response(env)
+        end
+      end
+    end
+
+    def process_response(env)
+      env[:raw_body] = env[:body] if preserve_raw?(env)
+      env[:body] = parse(env[:body])
+    rescue Faraday::Error::ParsingError => err
+      raise Faraday::Error::ParsingError.new(err, env[:response])
+    end
+
+    # Parse the response body.
+    #
+    # Instead of overriding this method, consider using `define_parser`.
+    def parse(body)
+      if self.class.parser
+        begin
+          self.class.parser.call(body)
+        rescue StandardError, SyntaxError => err
+          raise err if err.is_a? SyntaxError and err.class.name != 'Psych::SyntaxError'
+          raise Faraday::Error::ParsingError, err
+        end
+      else
+        body
+      end
+    end
+
+    def response_type(env)
+      type = env[:response_headers][CONTENT_TYPE].to_s
+      type = type.split(';', 2).first if type.index(';')
+      type
+    end
+
+    def process_response_type?(type)
+      @content_types.empty? or @content_types.any? { |pattern|
+        pattern.is_a?(Regexp) ? type =~ pattern : type == pattern
+      }
+    end
+
+    def parse_response?(env)
+      env[:body].respond_to? :to_str
+    end
+
+    def preserve_raw?(env)
+      env[:request].fetch(:preserve_raw, @options[:preserve_raw])
+    end
+  end
+
+  # DRAGONS
+  module OptionsExtension
+    attr_accessor :preserve_raw
+
+    def to_hash
+      super.update(:preserve_raw => preserve_raw)
+    end
+
+    def each
+      return to_enum(:each) unless block_given?
+      super
+      yield :preserve_raw, preserve_raw
+    end
+
+    def fetch(key, *args)
+      if :preserve_raw == key
+        value = __send__(key)
+        value.nil? ? args.fetch(0) : value
+      else
+        super
+      end
+    end
+  end
+
+  if defined?(Faraday::RequestOptions)
+    begin
+      Faraday::RequestOptions.from(:preserve_raw => true)
+    rescue NoMethodError
+      Faraday::RequestOptions.send(:include, OptionsExtension)
+    end
+  end
+end

data/lib/faraday_middleware/version.rb

@@ -0,0 +1,3 @@
+module FaradayMiddleware
+  VERSION = "0.12-safeyaml" unless defined?(FaradayMiddleware::VERSION)
+end

metadata

@@ -0,0 +1,105 @@
+--- !ruby/object:Gem::Specification
+name: faraday_middleware_safeyaml
+version: !ruby/object:Gem::Version
+  version: 0.12.pre.safeyaml
+platform: ruby
+authors:
+- Erik Michaels-Ober
+- Wynn Netherland
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-07-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.7.4
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.7.4
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: safe_yaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- sferik@gmail.com
+- wynn.netherland@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.md
+- README.md
+- lib/faraday_middleware.rb
+- lib/faraday_middleware/addressable_patch.rb
+- lib/faraday_middleware/backwards_compatibility.rb
+- lib/faraday_middleware/gzip.rb
+- lib/faraday_middleware/instrumentation.rb
+- lib/faraday_middleware/rack_compatible.rb
+- lib/faraday_middleware/request/encode_json.rb
+- lib/faraday_middleware/request/method_override.rb
+- lib/faraday_middleware/request/oauth.rb
+- lib/faraday_middleware/request/oauth2.rb
+- lib/faraday_middleware/response/caching.rb
+- lib/faraday_middleware/response/chunked.rb
+- lib/faraday_middleware/response/follow_redirects.rb
+- lib/faraday_middleware/response/mashify.rb
+- lib/faraday_middleware/response/parse_dates.rb
+- lib/faraday_middleware/response/parse_json.rb
+- lib/faraday_middleware/response/parse_marshal.rb
+- lib/faraday_middleware/response/parse_xml.rb
+- lib/faraday_middleware/response/parse_yaml.rb
+- lib/faraday_middleware/response/rashify.rb
+- lib/faraday_middleware/response_middleware.rb
+- lib/faraday_middleware/version.rb
+homepage: https://github.com/lostisland/faraday_middleware
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Various middleware for Faraday - forked to fix security issue (Waiting on
+  https://github.com/lostisland/faraday_middleware/pull/157)
+test_files: []