launchdarkly-server-sdk 5.5.10 → 5.5.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4654883a34c33e3686208e1fcc39735dfeba6ff0
-  data.tar.gz: 1505d1d14350682ad94dec6bb11175c974106a4a
+  metadata.gz: 3726dd61c5d5366f734b12e9803ea528ec03ccb9
+  data.tar.gz: ea169915fd5092048cae20bc45494ba8a6a18d82
 SHA512:
-  metadata.gz: 62e5c2d13534436571a760da5c07c612dfdc6e07758a562047e27d27eb46ff4b4d656533206b9cc5e2722c0b1d9ca476c83178eecbe0629b616b5130a2f74259
-  data.tar.gz: 27fdd6fee0e77a54b6a9d7b916544f9f9f899263ba7c60c5037dc3e3691e41ea36f905040cf508c2454f9fbf3d723e450851ab658e99234c03cc7b26da1a5ae9
+  metadata.gz: 26cfea25eced467021ecfab5b76390a35ef3d5a3b3fbccc7322e427f452c1e7d13e1fd22abe15bb940b4a9e01dd7a38123e5a9b2ddc41b9a1ec97447986590bc
+  data.tar.gz: d0c2420bda1218e2785f9c54ab134c4ee870a1883d887f16160fa0af83fa662c9831c20c191c8f0692b9ed6353868052662675f2d3a0dc136a65df2f97b4d0f2

data/CHANGELOG.md

@@ -2,10 +2,14 @@
 
 All notable changes to the LaunchDarkly Ruby SDK will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org).
 
-## [5.5.10] - 2019-07-24
+## [5.5.11] - 2019-07-24
 ### Fixed:
 - `FileDataSource` was using `YAML.load`, which has a known [security vulnerability](https://trailofbits.github.io/rubysec/yaml/index.html). This has been changed to use `YAML.safe_load`, which will refuse to parse any files that contain the `!` directives used in this type of attack. This issue does not affect any applications that do not use `FileDataSource` (which is meant for testing purposes, not production use). ([#139](https://github.com/launchdarkly/ruby-server-sdk/issues/139))
 
+
+## [5.5.10] - 2019-07-24
+This release was an error; it is identical to 5.5.9.
+
 ## [5.5.9] - 2019-07-23
 ### Fixed:
 - Due to the gem name no longer being the same as the `require` name, Bundler autoloading was no longer working in versions 5.5.7 and 5.5.8 of the SDK. This has been fixed. (Thanks, [tonyta](https://github.com/launchdarkly/ruby-server-sdk/pull/137)!)

data/lib/ldclient-rb/file_data_source.rb

@@ -21,9 +21,11 @@ module LaunchDarkly
   end
 
   #
-  # Provides a way to use local files as a source of feature flag state. This would typically be
-  # used in a test environment, to operate using a predetermined feature flag state without an
-  # actual LaunchDarkly connection.
+  # Provides a way to use local files as a source of feature flag state. This allows using a
+  # predetermined feature flag state without an actual LaunchDarkly connection.
+  #
+  # Reading flags from a file is only intended for pre-production environments. Production
+  # environments should always be configured to receive flag updates from LaunchDarkly.
   #
   # To use this component, call {FileDataSource#factory}, and store its return value in the
   # {Config#data_source} property of your LaunchDarkly client configuration. In the options
@@ -206,7 +208,7 @@ module LaunchDarkly
       # We can use the Ruby YAML parser for both YAML and JSON (JSON is a subset of YAML and while
       # not all YAML parsers handle it correctly, we have verified that the Ruby one does, at least
       # for all the samples of actual flag data that we've tested).
-      symbolize_all_keys(YAML.load(content))
+      symbolize_all_keys(YAML.safe_load(content))
     end
 
     def symbolize_all_keys(value)

data/lib/ldclient-rb/version.rb

@@ -1,3 +1,3 @@
 module LaunchDarkly
-  VERSION = "5.5.10"
+  VERSION = "5.5.11"
 end

data/spec/file_data_source_spec.rb

@@ -1,6 +1,14 @@
 require "spec_helper"
 require "tempfile"
 
+# see does not allow Ruby objects in YAML" for the purpose of the following two things
+$created_bad_class = false
+class BadClassWeShouldNotInstantiate < Hash
+  def []=(key, value)
+    $created_bad_class = true
+  end
+end
+
 describe LaunchDarkly::FileDataSource do
   let(:full_flag_1_key) { "flag1" }
   let(:full_flag_1_value) { "on" }
@@ -78,6 +86,12 @@ segments:
 EOF
   }
 
+  let(:unsafe_yaml) { <<-EOF
+--- !ruby/hash:BadClassWeShouldNotInstantiate
+foo: bar
+EOF
+  }
+
   let(:bad_file_path) { "no-such-file" }
 
   before do
@@ -138,6 +152,20 @@ EOF
     end
   end
 
+  it "does not allow Ruby objects in YAML" do
+    # This tests for the vulnerability described here: https://trailofbits.github.io/rubysec/yaml/index.html
+    # The file we're loading contains a hash with a custom Ruby class, BadClassWeShouldNotInstantiate (see top
+    # of file). If we're not loading in safe mode, it will create an instance of that class and call its []=
+    # method, which we've defined to set $created_bad_class to true. In safe mode, it refuses to parse this file.
+    file = make_temp_file(unsafe_yaml)
+    with_data_source({ paths: [file.path ] }) do |ds|
+      event = ds.start
+      expect(event.set?).to eq(true)
+      expect(ds.initialized?).to eq(false)
+      expect($created_bad_class).to eq(false)
+    end
+  end
+
   it "sets start event and initialized on successful load" do
     file = make_temp_file(all_properties_json)
     with_data_source({ paths: [ file.path ] }) do |ds|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: launchdarkly-server-sdk
 version: !ruby/object:Gem::Version
-  version: 5.5.10
+  version: 5.5.11
 platform: ruby
 authors:
 - LaunchDarkly
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-24 00:00:00.000000000 Z
+date: 2019-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-dynamodb