launchdarkly-server-sdk 5.5.10 → 5.5.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -1
- data/lib/ldclient-rb/file_data_source.rb +6 -4
- data/lib/ldclient-rb/version.rb +1 -1
- data/spec/file_data_source_spec.rb +28 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3726dd61c5d5366f734b12e9803ea528ec03ccb9
|
|
4
|
+
data.tar.gz: ea169915fd5092048cae20bc45494ba8a6a18d82
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 26cfea25eced467021ecfab5b76390a35ef3d5a3b3fbccc7322e427f452c1e7d13e1fd22abe15bb940b4a9e01dd7a38123e5a9b2ddc41b9a1ec97447986590bc
|
|
7
|
+
data.tar.gz: d0c2420bda1218e2785f9c54ab134c4ee870a1883d887f16160fa0af83fa662c9831c20c191c8f0692b9ed6353868052662675f2d3a0dc136a65df2f97b4d0f2
|
data/CHANGELOG.md
CHANGED
|
@@ -2,10 +2,14 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to the LaunchDarkly Ruby SDK will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org).
|
|
4
4
|
|
|
5
|
-
## [5.5.
|
|
5
|
+
## [5.5.11] - 2019-07-24
|
|
6
6
|
### Fixed:
|
|
7
7
|
- `FileDataSource` was using `YAML.load`, which has a known [security vulnerability](https://trailofbits.github.io/rubysec/yaml/index.html). This has been changed to use `YAML.safe_load`, which will refuse to parse any files that contain the `!` directives used in this type of attack. This issue does not affect any applications that do not use `FileDataSource` (which is meant for testing purposes, not production use). ([#139](https://github.com/launchdarkly/ruby-server-sdk/issues/139))
|
|
8
8
|
|
|
9
|
+
|
|
10
|
+
## [5.5.10] - 2019-07-24
|
|
11
|
+
This release was an error; it is identical to 5.5.9.
|
|
12
|
+
|
|
9
13
|
## [5.5.9] - 2019-07-23
|
|
10
14
|
### Fixed:
|
|
11
15
|
- Due to the gem name no longer being the same as the `require` name, Bundler autoloading was no longer working in versions 5.5.7 and 5.5.8 of the SDK. This has been fixed. (Thanks, [tonyta](https://github.com/launchdarkly/ruby-server-sdk/pull/137)!)
|
|
@@ -21,9 +21,11 @@ module LaunchDarkly
|
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
#
|
|
24
|
-
# Provides a way to use local files as a source of feature flag state. This
|
|
25
|
-
#
|
|
26
|
-
#
|
|
24
|
+
# Provides a way to use local files as a source of feature flag state. This allows using a
|
|
25
|
+
# predetermined feature flag state without an actual LaunchDarkly connection.
|
|
26
|
+
#
|
|
27
|
+
# Reading flags from a file is only intended for pre-production environments. Production
|
|
28
|
+
# environments should always be configured to receive flag updates from LaunchDarkly.
|
|
27
29
|
#
|
|
28
30
|
# To use this component, call {FileDataSource#factory}, and store its return value in the
|
|
29
31
|
# {Config#data_source} property of your LaunchDarkly client configuration. In the options
|
|
@@ -206,7 +208,7 @@ module LaunchDarkly
|
|
|
206
208
|
# We can use the Ruby YAML parser for both YAML and JSON (JSON is a subset of YAML and while
|
|
207
209
|
# not all YAML parsers handle it correctly, we have verified that the Ruby one does, at least
|
|
208
210
|
# for all the samples of actual flag data that we've tested).
|
|
209
|
-
symbolize_all_keys(YAML.
|
|
211
|
+
symbolize_all_keys(YAML.safe_load(content))
|
|
210
212
|
end
|
|
211
213
|
|
|
212
214
|
def symbolize_all_keys(value)
|
data/lib/ldclient-rb/version.rb
CHANGED
|
@@ -1,6 +1,14 @@
|
|
|
1
1
|
require "spec_helper"
|
|
2
2
|
require "tempfile"
|
|
3
3
|
|
|
4
|
+
# see does not allow Ruby objects in YAML" for the purpose of the following two things
|
|
5
|
+
$created_bad_class = false
|
|
6
|
+
class BadClassWeShouldNotInstantiate < Hash
|
|
7
|
+
def []=(key, value)
|
|
8
|
+
$created_bad_class = true
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
|
|
4
12
|
describe LaunchDarkly::FileDataSource do
|
|
5
13
|
let(:full_flag_1_key) { "flag1" }
|
|
6
14
|
let(:full_flag_1_value) { "on" }
|
|
@@ -78,6 +86,12 @@ segments:
|
|
|
78
86
|
EOF
|
|
79
87
|
}
|
|
80
88
|
|
|
89
|
+
let(:unsafe_yaml) { <<-EOF
|
|
90
|
+
--- !ruby/hash:BadClassWeShouldNotInstantiate
|
|
91
|
+
foo: bar
|
|
92
|
+
EOF
|
|
93
|
+
}
|
|
94
|
+
|
|
81
95
|
let(:bad_file_path) { "no-such-file" }
|
|
82
96
|
|
|
83
97
|
before do
|
|
@@ -138,6 +152,20 @@ EOF
|
|
|
138
152
|
end
|
|
139
153
|
end
|
|
140
154
|
|
|
155
|
+
it "does not allow Ruby objects in YAML" do
|
|
156
|
+
# This tests for the vulnerability described here: https://trailofbits.github.io/rubysec/yaml/index.html
|
|
157
|
+
# The file we're loading contains a hash with a custom Ruby class, BadClassWeShouldNotInstantiate (see top
|
|
158
|
+
# of file). If we're not loading in safe mode, it will create an instance of that class and call its []=
|
|
159
|
+
# method, which we've defined to set $created_bad_class to true. In safe mode, it refuses to parse this file.
|
|
160
|
+
file = make_temp_file(unsafe_yaml)
|
|
161
|
+
with_data_source({ paths: [file.path ] }) do |ds|
|
|
162
|
+
event = ds.start
|
|
163
|
+
expect(event.set?).to eq(true)
|
|
164
|
+
expect(ds.initialized?).to eq(false)
|
|
165
|
+
expect($created_bad_class).to eq(false)
|
|
166
|
+
end
|
|
167
|
+
end
|
|
168
|
+
|
|
141
169
|
it "sets start event and initialized on successful load" do
|
|
142
170
|
file = make_temp_file(all_properties_json)
|
|
143
171
|
with_data_source({ paths: [ file.path ] }) do |ds|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: launchdarkly-server-sdk
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.5.
|
|
4
|
+
version: 5.5.11
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- LaunchDarkly
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-07-
|
|
11
|
+
date: 2019-07-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-dynamodb
|