hash_parser 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4b5e8eb3670d11b0061cae4ebc2bfd239dfa9836
+  data.tar.gz: afb5f547791bec5ae475772b9a90308214e8adec
+SHA512:
+  metadata.gz: '087ff07ce0d7a782b214eda070626f1f8d867deb46dab4573053c6d18d18d184f06e2578ca4d590d5b92bc98b8295732c382d4fc74c732cae33247c622252955'
+  data.tar.gz: 49b39ea2053ace60d3345d929782bacfd863006c993e32a64a192efdf5e921ea447eedcb4d6ad5f0dfb4c7c2ae444b4fdceaeb5a0be09e7b18060bfa8ebe1b87

data/History.txt

@@ -0,0 +1,5 @@
+=== 0.0.1 / 2017-03-29
+
+* Initial implementation
+
+The whitelist based implementation only loads the classes Psych::safe_load loads.

data/Manifest.txt

@@ -0,0 +1,6 @@
+History.txt
+Manifest.txt
+README.txt
+Rakefile
+lib/hash_parser.rb
+test/test_hash_parser.rb

data/README.txt

@@ -0,0 +1,74 @@
+= blah
+
+home  :: https://github.com/bibstha/ruby_hash_parser
+code  :: https://github.com/bibstha/ruby_hash_parser
+bugs  :: https://github.com/bibstha/ruby_hash_parser
+... etc ...
+
+== DESCRIPTION:
+
+Parses a hash string of the format `'{ :a => "something" }'` into an actual ruby hash object `{ a: "something" }`.
+This is useful when you by mistake serialize hashes and save it in database column or a text file and you want to
+convert them back to hashes without the security issues of executing `eval(hash_string)`.
+
+By default only following classes are allowed to be deserialized:
+
+* TrueClass
+* FalseClass
+* NilClass
+* Numeric
+* String
+* Array
+* Hash
+
+A HashParser::BadHash exception is thrown if unserializable values are present.
+
+== FEATURES/PROBLEMS:
+
+* Any potential security issues?
+
+== INSTALL:
+
+* Add to Gemfile: `gem 'hash_parser'`
+
+== DEVELOPERS:
+
+    require 'hash_parser'
+
+    # This successfully parses the hash
+    a = "{ :key_a => { :key_1a => 'value_1a', :key_2a => 'value_2a' },
+           :key_b => { :key_1b => 'value_1b' } }"
+    p HashParser.new.safe_load(a)
+
+    # This throws a HashParser::BadHash exception
+    a = "{ :key_a => system('ls') }"
+    p HashParser.new.safe_load(a)
+
+== TODO:
+
+* Allow objects of certain types to be deserialized
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2017 FIX
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,13 @@
+# -*- ruby -*-
+
+require 'hoe'
+
+Hoe.spec 'hash_parser' do
+  developer 'Bibek Shrestha', 'bibekshrestha@gmail.com'
+
+  license "MIT"
+
+  dependency "ruby_parser", "~> 3.8.4"
+end
+
+# vim: syntax=ruby

data/lib/hash_parser.rb

@@ -0,0 +1,30 @@
+require "ruby_parser"
+
+# Whiltelist based hash string parser
+class HashParser
+  VERSION = "0.0.2"
+
+  # a literal is strings, regex, numeric
+  # https://github.com/seattlerb/ruby_parser/blob/master/lib/ruby19_parser.y#L890
+  ALLOWED_CLASSES = [ :true, :false, :nil, :lit, :str, :array, :hash ].freeze
+
+  BadHash = Class.new(StandardError)
+
+  def safe_load(string)
+    raise BadHash, "#{ string } is a bad hash" unless safe?(string)
+    eval(string)
+  end
+
+  private
+
+  def safe?(string)
+    expression = RubyParser.new.parse(string)
+    return false unless expression.head == :hash # root has to be a hash
+
+    # can be optimized to do an ACTUAL_CLASSES - ALLOWED_CLASSES == []
+    expression.deep_each.all? do |child|
+      ALLOWED_CLASSES.include?(child.head)
+    end
+  end
+end
+

data/test/test_hash_parser.rb

@@ -0,0 +1,83 @@
+require "minitest/autorun"
+require "minitest/spec"
+require "minitest/pride"
+require "hash_parser"
+
+describe HashParser do
+  before do
+    @parser = HashParser.new
+  end
+
+  describe "#safe_load" do
+    it "fails if it is not a hash" do
+      strs =  ["[]", "Book.delete_all", "puts 'hello'", '"#{puts 123}"', "system('ls /')"]
+      strs.each do |bad_str|
+        assert_raises HashParser::BadHash, "#{ bad_str } should not be safe" do
+          @parser.safe_load(bad_str)
+        end
+      end
+    end
+
+    it "fails if there are more than one expression, it fails" do
+      strs = ["{ :a => 1 }; 'hello'", "{ :a => 1 }\n{ :b => 2 }"]
+      strs.each do |bad_str|
+        assert_raises HashParser::BadHash, "#{ bad_str } should not be safe" do
+          @parser.safe_load(bad_str)
+        end
+      end
+    end
+
+    it "Does not define or redefine any methods" do
+      str = '{ :a => refine(BadHash) { def safe?; "HAHAHA"; end } }'
+      assert_raises HashParser::BadHash, "#{ str } should not be safe" do
+        @parser.safe_load(str)
+      end
+
+      str = '{ :a => def HashParser.safe?; "HAHAHA"; end }'
+      assert_raises HashParser::BadHash, "#{ str } should not be safe" do
+        @parser.safe_load(str)
+      end
+    end
+
+    it "fails if it has assignment" do
+      strs = ['{ :a => (HashParser::TEST_CONSTANT = 1) }',
+              '{ :a => (hello_world = 1) }']
+      strs.each do |str|
+        assert_raises HashParser::BadHash, "#{ str } should not be safe" do
+          @parser.safe_load(str)
+        end
+      end
+    end
+
+    it "fails if a hash has a method call" do
+      strs = ["{ :a => 2 * 2 }",
+              "{ :a => SOME_CONST }",
+              "{ :a => system('ls /') }",
+              "{ :a => Book.delete_all }",
+              '{ :a => "#{500}" }',
+              '{ :a => "#{ Book.delete_all }" }',
+              '{ :a => refine(BadHash) { def safe?; "HAHAHA"; end } }',
+      ]
+      strs.each do |bad_str|
+        assert_raises HashParser::BadHash, "#{ bad_str } should not be safe" do
+          @parser.safe_load(bad_str)
+        end
+      end
+    end
+
+    it "passes for hashes" do
+      strs = ["{}", '{ "a" => "A" }', '{ :a => 123 }', '{ :a => true, :b => false, :c => true, "d" => nil }']
+      parsed = [{}, { "a" => "A" }, { a: 123 }, { a: true, b: false, c: true, "d" => nil }]
+      strs.each.with_index do |good_str, i|
+        assert_equal parsed[i], @parser.safe_load(good_str), "#{ good_str } should be safe"
+      end
+    end
+
+    it "passes for hashes with sub hashes" do
+      str = '{ :a => [1, 2, { "x" => "y" }] }'
+      parsed = { a: [1, 2, { "x" => "y" }] }
+      assert_equal parsed, @parser.safe_load(str)
+    end
+  end
+end
+

metadata

@@ -0,0 +1,113 @@
+--- !ruby/object:Gem::Specification
+name: hash_parser
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Bibek Shrestha
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-03-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ruby_parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.8.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.8.4
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: hoe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.16'
+description: |-
+  Parses a hash string of the format `'{ :a => "something" }'` into an actual ruby hash object `{ a: "something" }`.
+  This is useful when you by mistake serialize hashes and save it in database column or a text file and you want to
+  convert them back to hashes without the security issues of executing `eval(hash_string)`.
+
+  By default only following classes are allowed to be deserialized:
+
+  * TrueClass
+  * FalseClass
+  * NilClass
+  * Numeric
+  * String
+  * Array
+  * Hash
+
+  A HashParser::BadHash exception is thrown if unserializable values are present.
+email:
+- bibekshrestha@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- History.txt
+- Manifest.txt
+- README.txt
+files:
+- History.txt
+- Manifest.txt
+- README.txt
+- Rakefile
+- lib/hash_parser.rb
+- test/test_hash_parser.rb
+homepage: https://github.com/bibstha/ruby_hash_parser
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--main"
+- README.txt
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.10
+signing_key: 
+specification_version: 4
+summary: 'Parses a hash string of the format `''{ :a => "something" }''` into an actual
+  ruby hash object `{ a: "something" }`'
+test_files: []