localeapp 0.6.8 → 0.6.9

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# Version 0.6.8
+
+* Don't load any yaml that may contain insecure content
+
 # Version 0.6.7
 
 * Add rm and mv commands for deleting / renaming keys from the command line

data/README.md

@@ -10,6 +10,15 @@ The gem hooks into the i18n exception mechanism to send missing translations to
 the app. When translated content has been added it's automatically pulled down
 so you can see it straight away.
 
+## Security
+
+Though the i18n gem uses YAML as it's default file format it doesn't require
+serialization of ruby objects. To prevent the kind of security problems
+detailed in [CVE-2013-0156][1] the localeapp gem will not load any YAML containing
+the string !ruby/ as of version 0.6.9.
+
+[1]: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
+
 ## Installation
 
 ### Rails 3

data/lib/localeapp/cli/install.rb

@@ -145,7 +145,7 @@ require 'localeapp/rails'
 
 Localeapp.configure do |config|
   config.api_key = ENV['LOCALEAPP_API_KEY']
-  config.poll_interval = 300 if defined?(Rails) && Rails.env.staging?
+  config.environment_name = ENV['LOCALEAPP_ENV'] unless ENV['LOCALEAPP_ENV'].nil?
   config.polling_environments = [:development, :staging]
   config.reloading_environments = [:development, :staging]
   config.sending_environments = [:development, :staging]

data/lib/localeapp/configuration.rb

@@ -70,6 +70,10 @@ module Localeapp
     # The complete path to the directory where translations are stored
     attr_accessor :translation_data_directory
 
+    # Enable or disable the insecure yaml exception
+    # default: true
+    attr_accessor :raise_on_insecure_yaml
+
     def initialize
       defaults.each do |setting, value|
         send("#{setting}=", value)
@@ -90,6 +94,7 @@ module Localeapp
         :daemon_pid_file            => File.join('tmp', 'pids', 'localeapp.pid'),
         :daemon_log_file            => File.join('log', 'localeapp_daemon.log'),
         :translation_data_directory => File.join('config', 'locales'),
+        :raise_on_insecure_yaml     => true,
       }
       if ENV['DEBUG']
         require 'logger'

data/lib/localeapp/version.rb

@@ -1,3 +1,3 @@
 module Localeapp
-  VERSION = "0.6.8"
+  VERSION = "0.6.9"
 end

data/lib/localeapp.rb

@@ -54,6 +54,9 @@ module Localeapp
   API_VERSION = "1"
   LOG_PREFIX = "** [Localeapp] "
 
+  class LocaleappError < StandardError; end
+  class PotentiallyInsecureYaml < LocaleappError; end
+
   class << self
     # An Localeapp configuration object.
     attr_accessor :configuration
@@ -115,6 +118,10 @@ module Localeapp
     end
 
     def load_yaml(contents)
+      if Localeapp.configuration.raise_on_insecure_yaml
+        raise Localeapp::PotentiallyInsecureYaml if contents =~ /!ruby\//
+      end
+
       if defined?(Psych) && defined?(Psych::VERSION)
         Psych.load(contents)
       else

data/localeapp.gemspec

@@ -30,6 +30,6 @@ Gem::Specification.new do |s|
   s.add_development_dependency('rspec', '2.11.0')
   s.add_development_dependency('yard', '0.6.7')
   s.add_development_dependency('RedCloth', '4.2.9')
-  s.add_development_dependency('aruba', '0.4.11')
+  s.add_development_dependency('aruba', '0.5.1')
   s.add_development_dependency('fakeweb', '1.3.0')
 end

data/spec/localeapp/cli/install_spec.rb

@@ -206,7 +206,7 @@ require 'localeapp/rails'
 
 Localeapp.configure do |config|
   config.api_key = ENV['LOCALEAPP_API_KEY']
-  config.poll_interval = 300 if defined?(Rails) && Rails.env.staging?
+  config.environment_name = ENV['LOCALEAPP_ENV'] unless ENV['LOCALEAPP_ENV'].nil?
   config.polling_environments = [:development, :staging]
   config.reloading_environments = [:development, :staging]
   config.sending_environments = [:development, :staging]

data/spec/localeapp/updater_spec.rb

@@ -17,6 +17,10 @@ describe Localeapp::Updater, ".update(data)" do
     @updater.update(data)
   end
 
+  def load_yaml(locale)
+    YAML.load(File.read(File.join(@yml_dir, "#{locale}.yml")))
+  end
+
   it "adds, updates and deletes keys in the yml files" do
     do_update({
       'translations' => {
@@ -35,59 +39,19 @@ describe Localeapp::Updater, ".update(data)" do
       'locales' => %w{en es}
     })
 
-    if defined? Psych
-      if Psych::VERSION == '1.0.0'
-        if RUBY_ENGINE == 'jruby'
-          File.read(File.join(@yml_dir, 'en.yml')).should == <<-EN
-en:
-  foo:
-    monkey: hello
-    night: the night
-  space:
-  blank: ''
-  tilde:
-  scalar1:
-  scalar2:
-EN
-        else
-          File.read(File.join(@yml_dir, 'en.yml')).should == <<-EN
-en:
-  foo:
-    monkey: hello
-    night: the night
-  space: !!null 
-  blank: ''
-  tilde: !!null 
-  scalar1: !!null 
-  scalar2: !!null 
-EN
-        end
-      else
-        File.read(File.join(@yml_dir, 'en.yml')).should == <<-EN
-en:
-  foo:
-    monkey: hello
-    night: the night
-  space: 
-  blank: ''
-  tilde: 
-  scalar1: 
-  scalar2: 
-EN
-      end
-    else
-      File.read(File.join(@yml_dir, 'en.yml')).should == <<-EN
-en: 
-  blank: ""
-  foo: 
-    monkey: hello
-    night: "the night"
-  scalar1: ~
-  scalar2: ~
-  space: ~
-  tilde: ~
-EN
-    end
+    load_yaml('en').should == {
+      'en' => {
+        'foo' => {
+          'monkey' => 'hello',
+          'night' => 'the night'
+        },
+        'space' => nil,
+        'blank' => '',
+        'tilde' => nil,
+        'scalar1' => nil,
+        'scalar2' => nil,
+      }
+    }
   end
 
   it "deletes keys in the yml files when updates are empty" do
@@ -100,19 +64,14 @@ EN
       ],
       'locales' => %w{es}
     })
-    if defined? Psych
-      File.read(File.join(@yml_dir, 'es.yml')).should == <<-ES
-es:
-  foo:
-    monkey: Mono
-ES
-    else
-      File.read(File.join(@yml_dir, 'es.yml')).should == <<-ES
-es: 
-  foo: 
-    monkey: Mono
-ES
-    end
+
+    load_yaml('es').should == {
+      'es' => {
+        'foo' => {
+          'monkey' => 'Mono'
+        }
+      }
+    }
   end
 
   it "creates a new yml file if an unknown locale is passed" do
@@ -122,17 +81,12 @@ ES
       },
       'locales' => ['ja']
     })
-    if defined? Psych
-      File.read(File.join(@yml_dir, 'ja.yml')).should == <<-JA
-ja:
-  foo: bar
-JA
-    else
-      File.read(File.join(@yml_dir, 'ja.yml')).should == <<-JA
-ja: 
-  foo: bar
-JA
-    end
+
+    load_yaml('ja').should == {
+      'ja' => {
+        'foo' => 'bar'
+      }
+    }
   end
 
   it "doesn't create a new yml file if an unknown locale is passed but it has no translations" do
@@ -144,7 +98,7 @@ JA
     File.exist?(File.join(@yml_dir, 'ja.yml')).should be_false
   end
 
-  if defined?(Psych) && Psych::VERSION >= "1.1.0"
+  if defined?(Psych) && Psych::VERSION >= "1.1.0" && !RUBY_PLATFORM == 'jruby'
     it "doesn't try to wrap long lines in the output" do
       do_update({
         'translations' => {
@@ -202,33 +156,21 @@ describe Localeapp::Updater, ".dump(data)" do
 
   it "replaces the content of an existing yml file" do
     filepath = File.join(@yml_dir, 'en.yml')
-    content = lambda { File.read(filepath) }
-    if defined? Psych
-      expect { do_dump({'en' => {'updated' => 'content'}}) }.to change(content, :call).to <<-EN
-en:
-  updated: content
-EN
-    else
-      expect { do_dump({'en' => {'updated' => 'content'}}) }.to change(content, :call).to <<-EN
-en: 
-  updated: content
-EN
-    end
+    content = lambda { YAML.load(File.read(filepath)) }
+    expect { do_dump({'en' => {'updated' => 'content'}}) }.to change(content, :call).to({
+      'en' => {
+        'updated' => 'content'
+      }
+    })
   end
 
   it "creates a new yml file if an unknown locale is passed" do
     do_dump({'ja' => { 'foo' => 'bar'} })
-    if defined? Psych
-      File.read(File.join(@yml_dir, 'ja.yml')).should == <<-JA
-ja:
-  foo: bar
-JA
-    else
-      File.read(File.join(@yml_dir, 'ja.yml')).should == <<-JA
-ja: 
-  foo: bar
-JA
-    end
+    YAML.load(File.read(File.join(@yml_dir, 'ja.yml'))).should == {
+      'ja' => {
+        'foo' => 'bar'
+      }
+    }
   end
 
   it "doesn't change a yml file's permissions" do

data/spec/localeapp_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+
+describe Localeapp, "#load_yaml(content)" do
+  let(:bad_yaml) { "---\n- 1\n- 2\n- 3\n- !ruby/object:Object\n    foo: 1\n" }
+
+  it "raises an exception if the content contains potentially insecure yaml" do
+    with_configuration(:raise_on_insecure_yaml => true) do
+      expect { Localeapp.load_yaml(bad_yaml) }.to raise_error(Localeapp::PotentiallyInsecureYaml)
+    end
+  end
+
+  it "doesn't raise if the raise_on_insecure_yaml setting is false" do
+    with_configuration(:raise_on_insecure_yaml => false) do
+      expect { Localeapp.load_yaml(bad_yaml) }.to_not raise_error
+    end
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: localeapp
 version: !ruby/object:Gem::Version 
-  hash: 23
+  hash: 21
   prerelease: 
   segments: 
   - 0
   - 6
-  - 8
-  version: 0.6.8
+  - 9
+  version: 0.6.9
 platform: ruby
 authors: 
 - Christopher Dell
@@ -16,12 +16,10 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-11-23 00:00:00 Z
+date: 2013-01-15 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: i18n
-  type: :runtime
-  prerelease: false
   version_requirements: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -31,11 +29,11 @@ dependencies:
         segments: 
         - 0
         version: "0"
+  type: :runtime
   requirement: *id001
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: json
-  type: :runtime
-  prerelease: false
   version_requirements: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -45,11 +43,11 @@ dependencies:
         segments: 
         - 0
         version: "0"
+  type: :runtime
   requirement: *id002
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: rest-client
-  type: :runtime
-  prerelease: false
   version_requirements: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -59,11 +57,11 @@ dependencies:
         segments: 
         - 0
         version: "0"
+  type: :runtime
   requirement: *id003
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: ya2yaml
-  type: :runtime
-  prerelease: false
   version_requirements: &id004 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -73,11 +71,11 @@ dependencies:
         segments: 
         - 0
         version: "0"
+  type: :runtime
   requirement: *id004
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: gli
-  type: :runtime
-  prerelease: false
   version_requirements: &id005 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -87,11 +85,11 @@ dependencies:
         segments: 
         - 0
         version: "0"
+  type: :runtime
   requirement: *id005
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: rake
-  type: :development
-  prerelease: false
   version_requirements: &id006 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -101,11 +99,11 @@ dependencies:
         segments: 
         - 0
         version: "0"
+  type: :development
   requirement: *id006
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: rack
-  type: :development
-  prerelease: false
   version_requirements: &id007 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -115,11 +113,11 @@ dependencies:
         segments: 
         - 0
         version: "0"
+  type: :development
   requirement: *id007
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: rspec
-  type: :development
-  prerelease: false
   version_requirements: &id008 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -131,11 +129,11 @@ dependencies:
         - 11
         - 0
         version: 2.11.0
+  type: :development
   requirement: *id008
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: yard
-  type: :development
-  prerelease: false
   version_requirements: &id009 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -147,11 +145,11 @@ dependencies:
         - 6
         - 7
         version: 0.6.7
+  type: :development
   requirement: *id009
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: RedCloth
-  type: :development
-  prerelease: false
   version_requirements: &id010 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -163,27 +161,27 @@ dependencies:
         - 2
         - 9
         version: 4.2.9
+  type: :development
   requirement: *id010
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: aruba
-  type: :development
-  prerelease: false
   version_requirements: &id011 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 25
+        hash: 9
         segments: 
         - 0
-        - 4
-        - 11
-        version: 0.4.11
+        - 5
+        - 1
+        version: 0.5.1
+  type: :development
   requirement: *id011
+  prerelease: false
 - !ruby/object:Gem::Dependency 
   name: fakeweb
-  type: :development
-  prerelease: false
   version_requirements: &id012 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
@@ -195,7 +193,9 @@ dependencies:
         - 3
         - 0
         version: 1.3.0
+  type: :development
   requirement: *id012
+  prerelease: false
 description: Synchronizes i18n translation keys and content with localeapp.com so you don't have to manage translations by hand.
 email: 
 - chris@tigrish.com
@@ -286,6 +286,7 @@ files:
 - spec/localeapp/routes_spec.rb
 - spec/localeapp/sender_spec.rb
 - spec/localeapp/updater_spec.rb
+- spec/localeapp_spec.rb
 - spec/spec_helper.rb
 - spec/support/i18n/missing_translation.rb
 - spec/support/localeapp_integration_data.rb
@@ -319,7 +320,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: localeapp
-rubygems_version: 1.8.6
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Easy i18n translation management with localeapp.com
@@ -358,6 +359,7 @@ test_files:
 - spec/localeapp/routes_spec.rb
 - spec/localeapp/sender_spec.rb
 - spec/localeapp/updater_spec.rb
+- spec/localeapp_spec.rb
 - spec/spec_helper.rb
 - spec/support/i18n/missing_translation.rb
 - spec/support/localeapp_integration_data.rb