mitre-settingslogic 3.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: cabca9894cc72e6bf4207679d3847b539f15ba2c99cbd30165271b3988568b86
+  data.tar.gz: 1dead53a7b4c408796cb7439bf15fce7a3cef28e868a755ec595d759def19252
+SHA512:
+  metadata.gz: 70ed779744d55559bbc1db46ec27700b6406f93c88e82e157de222b30b1264361e702d1c55d9012d234f94de2f3e541f13606d36b30893530b96f76efd2cb030
+  data.tar.gz: f920eadd8d2e1191209d1bab0497b845978a690a0e1b03da0f4ef29189221dad2c2638a1522023bb6e4cf6e25fe4727849c533b287f1f57e9a65fa420f28e8fe

data/CHANGELOG.md

@@ -0,0 +1,67 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [3.0.0] - 2025-01-11
+
+### 🔒 Security (BREAKING CHANGES)
+
+- **Critical**: Replace `YAML.unsafe_load` with `YAML.safe_load` to prevent arbitrary code execution
+- Default permitted YAML classes: `Symbol, Date, Time, DateTime, BigDecimal`
+- Replace vulnerable `open-uri` with `Net::HTTP` for URL loading
+- Add protocol validation to block dangerous URI schemes (file://, ftp://, etc.)
+
+### ✨ Features
+
+- Add Ruby 3.x compatibility (3.0, 3.1, 3.2, 3.3, 3.4)
+- Add Rails 7.x and 8.x compatibility
+- Add Psych 4 support with YAML alias handling
+- Add configurable permitted classes via `Settingslogic.yaml_permitted_classes`
+- Add migration path with deprecated `Settingslogic.use_yaml_unsafe_load` flag
+- Add helpful error messages with migration instructions
+
+### 🐛 Fixes
+
+- Fix RSpec Array#flatten issues with `to_ary` method
+- Fix deprecated `has_key?` usage (now `key?`)
+- Fix eval security with proper `__FILE__` and `__LINE__` tracking
+- Fix Ruby 3.4 compatibility with explicit bigdecimal dependency
+- Fix CI issues with Ruby 2.7 + Rails 6.1 zeitwerk conflict
+
+### 📦 Infrastructure
+
+- Add comprehensive test suite (94.63% coverage)
+- Add RuboCop linting with rubocop-rspec and rubocop-performance
+- Add GitHub Actions CI for all Ruby/Rails combinations
+- Add automated release tooling with version management
+- Add security testing suite (19 security-specific tests)
+
+### 📚 Documentation
+
+- Add comprehensive README with migration guide
+- Add SECURITY.md with vulnerability reporting process
+- Add ROADMAP.md for future development plans
+- Add CONTRIBUTING.md for contribution guidelines
+- Update all documentation for v3.0.0
+
+### ⚠️ Breaking Changes
+
+- YAML files can no longer instantiate arbitrary Ruby objects by default
+- To allow custom classes: `Settingslogic.yaml_permitted_classes += [MyClass]`
+- Temporary opt-out available: `Settingslogic.use_yaml_unsafe_load = true` (deprecated)
+
+### 📝 Notes
+
+This is a major security release addressing CVE-2022-32224-like vulnerabilities. All users should upgrade and review their YAML files for compatibility with safe_load restrictions.
+
+## [2.0.9] - 2012-10-19
+
+Last release of the original gem by Ben Johnson (binarylogic).
+
+---
+
+Maintained by MITRE Corporation
+Primary maintainer: Aaron Lippold <lippold@gmail.com>

data/CONTRIBUTING.md

@@ -0,0 +1,119 @@
+# Contributing to Settingslogic
+
+Thank you for your interest in contributing to the MITRE fork of settingslogic! This fork provides Ruby 3.x and Rails 7.x+ compatibility for the classic settingslogic gem.
+
+## 🚀 Quick Start
+
+```bash
+# Fork and clone
+git clone https://github.com/mitre/settingslogic.git
+cd settingslogic
+
+# Install dependencies
+bundle install
+
+# Run tests
+bundle exec rspec
+```
+
+## 🛠️ Development Setup
+
+### Prerequisites
+
+- Ruby 2.7+ (we test against 2.7, 3.0, 3.1, 3.2, 3.3, and 3.4)
+- Bundler
+
+### Running Tests
+
+```bash
+# Run all tests
+bundle exec rspec
+
+# Run tests with specific Ruby version
+rbenv local 3.2.0  # or rvm use 3.2.0
+bundle exec rspec
+
+# Run linting
+bundle exec rubocop
+```
+
+## 📝 Making Changes
+
+1. **Fork the repository** on GitHub
+2. **Create a feature branch** from `master`
+   ```bash
+   git checkout -b feature/my-new-feature
+   ```
+3. **Make your changes**
+   - Add tests for any new functionality
+   - Ensure all tests pass
+   - Follow existing code style
+4. **Commit your changes**
+   ```bash
+   git commit -m "Add new feature"
+   ```
+5. **Push to your fork**
+   ```bash
+   git push origin feature/my-new-feature
+   ```
+6. **Create a Pull Request** on GitHub
+
+## 🧪 Testing Requirements
+
+All changes must:
+- Include tests for new functionality
+- Pass all existing tests
+- Work with Ruby 2.7 through 3.4
+- Maintain backwards compatibility where possible
+
+### Testing YAML Aliases
+
+Since the main purpose of this fork is Psych 4 compatibility, ensure YAML aliases work:
+
+```ruby
+# test.yml
+defaults: &defaults
+  host: localhost
+  port: 3000
+
+development:
+  <<: *defaults
+  database: dev_db
+```
+
+## 🎯 Focus Areas
+
+We're particularly interested in:
+- Ruby 3.x compatibility improvements
+- Rails 7.x and 8.x compatibility
+- Performance improvements
+- Security enhancements
+- Better error messages
+
+## 📋 Code Style
+
+- Use frozen string literals
+- Follow Ruby community conventions
+- Run `bundle exec rubocop` before committing
+- Keep methods small and focused
+- Document complex logic
+
+## 🐛 Reporting Issues
+
+When reporting issues, please include:
+- Ruby version
+- Rails version (if applicable)
+- Minimal reproduction example
+- Full error message and stack trace
+
+## 📄 License
+
+By contributing, you agree that your contributions will be licensed under the MIT License.
+
+## 📧 Contact
+
+For questions about contributing, please open an issue on GitHub or contact the maintainers at lippold@gmail.com.
+
+## 🙏 Acknowledgments
+
+Thanks to Ben Johnson for creating the original settingslogic gem, and to all the fork maintainers who have kept it alive for the Ruby community.

data/LICENSE.md

@@ -0,0 +1,16 @@
+---
+title: License
+description: Apache 2.0 license for the cyber-trackr-live project
+layout: doc
+sidebar: true
+---
+
+Licensed under the apache-2.0 license, except as noted below.  
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:  
+
+* Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice.  
+
+* Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution.  
+
+* Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

data/README.md

@@ -0,0 +1,204 @@
+# Settingslogic - MITRE Fork
+
+[![CI](https://github.com/mitre/settingslogic/actions/workflows/ci.yml/badge.svg)](https://github.com/mitre/settingslogic/actions/workflows/ci.yml)
+[![Gem Version](https://badge.fury.io/rb/settingslogic.svg)](http://badge.fury.io/rb/settingslogic)
+
+A simple and straightforward settings solution that uses an ERB enabled YAML file and a singleton design pattern. This is a MITRE-maintained fork with Ruby 3.x and Rails 7.x+ compatibility.
+
+## 🎯 Why This Fork?
+
+The original settingslogic gem hasn't been updated since 2012 but is still widely used. This fork provides:
+
+- ✅ **Ruby 3.x compatibility** - Full support for Ruby 3.0, 3.1, 3.2, 3.3, and 3.4
+- ✅ **Psych 4 support** - Handles YAML aliases correctly with Ruby 3.1+
+- ✅ **Rails 7.x/8.x compatibility** - Works with modern Rails versions
+- ✅ **Security updates** - Modern security practices and dependency updates
+- ✅ **Maintained** - Active maintenance and support
+
+## 📦 Installation
+
+Add this to your Gemfile:
+
+```ruby
+# Use the MITRE fork for Ruby 3.x compatibility
+gem 'settingslogic', github: 'mitre/settingslogic', branch: 'master'
+```
+
+Or if we publish to RubyGems:
+
+```ruby
+gem 'mitre-settingslogic'
+```
+
+## 🚀 Quick Start
+
+### 1. Define your settings class
+
+```ruby
+# app/models/settings.rb (for Rails)
+# or anywhere in your Ruby project
+class Settings < Settingslogic
+  source "#{Rails.root}/config/application.yml"
+  namespace Rails.env
+end
+```
+
+### 2. Create your YAML configuration
+
+```yaml
+# config/application.yml
+defaults: &defaults
+  host: localhost
+  port: 3000
+  ssl: false
+  
+development:
+  <<: *defaults
+  database: myapp_development
+  
+production:
+  <<: *defaults
+  host: production.example.com
+  port: 443
+  ssl: true
+  database: myapp_production
+```
+
+### 3. Use your settings
+
+```ruby
+Settings.host          # => "localhost" in development, "production.example.com" in production
+Settings.port          # => 3000 in development, 443 in production
+Settings.ssl?          # => false in development, true in production
+Settings.database      # => "myapp_development" in development
+
+# Nested settings
+Settings.smtp.address  # => Access nested configuration
+Settings['smtp']['address']  # => Hash-style access also works
+```
+
+## 🔧 Advanced Features
+
+### Dynamic Settings
+
+```ruby
+# Settings with ERB
+production:
+  secret_key: <%= ENV['SECRET_KEY_BASE'] %>
+  redis_url: <%= ENV['REDIS_URL'] || 'redis://localhost:6379' %>
+```
+
+### Multiple Configuration Files
+
+```ruby
+class DatabaseSettings < Settingslogic
+  source "#{Rails.root}/config/database_settings.yml"
+  namespace Rails.env
+end
+
+class FeatureFlags < Settingslogic
+  source "#{Rails.root}/config/features.yml"
+  namespace Rails.env
+end
+```
+
+### Suppress Errors
+
+```ruby
+class Settings < Settingslogic
+  source "#{Rails.root}/config/application.yml"
+  namespace Rails.env
+  suppress_errors true  # Returns nil instead of raising errors for missing keys
+end
+```
+
+### Dynamic Access
+
+```ruby
+# Access nested keys with dot notation
+Settings.get('database.pool.size')  # => 5
+Settings.get('redis.cache.ttl')     # => 3600
+```
+
+## 🏗️ What's Fixed in This Fork
+
+### Psych 4 / Ruby 3.1+ Compatibility
+
+The main issue with the original gem is that Ruby 3.1+ ships with Psych 4, which disables YAML aliases by default. This fork handles that correctly:
+
+```ruby
+# This YAML with aliases now works correctly in Ruby 3.1+
+defaults: &defaults
+  timeout: 30
+  retries: 3
+
+production:
+  <<: *defaults  # This alias expansion works!
+  timeout: 60
+```
+
+### Other Improvements
+
+- ✅ Fixed deprecated `has_key?` → `key?`
+- ✅ Added `to_ary` method for RSpec compatibility
+- ✅ Improved `symbolize_keys` for nested hashes
+- ✅ Added `stringify_keys` for Rails compatibility
+- ✅ Better error messages
+- ✅ Security improvements for eval usage
+- ✅ Frozen string literals
+- ✅ Modern Ruby idioms
+
+## 🧪 Compatibility
+
+Tested and working with:
+
+- **Ruby:** 2.7, 3.0, 3.1, 3.2, 3.3, 3.4
+- **Rails:** 5.2, 6.0, 6.1, 7.0, 7.1, 8.0
+- **Psych:** 3.x and 4.x
+
+## 🔒 Security
+
+### YAML Safe Loading (v3.0.0+)
+- **Default behavior**: Uses `YAML.safe_load` to prevent arbitrary code execution
+- **Permitted classes**: `Symbol, Date, Time, DateTime, BigDecimal`
+- **Custom classes**: Add via `Settingslogic.yaml_permitted_classes += [MyClass]`
+- **Migration path**: Temporary opt-out with `Settingslogic.use_yaml_unsafe_load = true` (deprecated, will be removed in v4.0.0)
+
+### Other Security Features
+- URL loading uses `Net::HTTP` instead of vulnerable `open-uri`
+- All eval usage includes proper `__FILE__` and `__LINE__` tracking
+- No arbitrary code execution vulnerabilities in default configuration
+
+## 🤝 Contributing
+
+We welcome contributions! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details.
+
+## 📄 License
+
+This project is licensed under the MIT License - see [LICENSE.md](LICENSE.md) for details.
+
+## 🙏 Acknowledgments
+
+- Original gem created by [Ben Johnson](https://github.com/binarylogic) (binarylogic)
+- Community maintainers at [settingslogic/settingslogic](https://github.com/settingslogic/settingslogic)
+- Key fixes incorporated from:
+  - [minorun99/settingslogic](https://github.com/minorun99/settingslogic) - Ruby 3.2 compatibility
+  - [etozzato/settingslogic](https://github.com/etozzato/settingslogic) - Psych 4 safe_load implementation
+  - [bigcommerce/settingslogic](https://github.com/bigcommerce/settingslogic) - Various compatibility fixes
+  - [tvw/settingslogic](https://github.com/tvw/settingslogic) - Ruby 3 support
+  - And many others who kept this gem alive through their forks and PRs
+- Special thanks to all who submitted PRs to the original repo, especially PR #86 for Psych 4 compatibility
+
+## 📚 Documentation
+
+- [Original Documentation](http://rdoc.info/github/binarylogic/settingslogic)
+- [MITRE Fork Issues](https://github.com/mitre/settingslogic/issues)
+- [MITRE Fork Repository](https://github.com/mitre/settingslogic)
+
+## 🏢 About MITRE
+
+This fork is maintained by [MITRE Corporation](https://www.mitre.org/) to support our Ruby applications, particularly [Vulcan](https://github.com/mitre/vulcan) and other security tools.
+
+---
+
+**Maintained with ❤️ by the MITRE Security Automation Framework Team**

data/ROADMAP.md

@@ -0,0 +1,39 @@
+# Settingslogic Roadmap
+
+## Version 3.0.0 (Current Release)
+- ✅ Ruby 3.x compatibility through Ruby 3.4+
+- ✅ Rails 7.x and 8.x compatibility
+- ✅ Security: Replaced `YAML.unsafe_load` with `YAML.safe_load`
+- ✅ Configurable permitted classes via `Settingslogic.yaml_permitted_classes`
+- ✅ Migration path with deprecated `use_yaml_unsafe_load` flag
+- ✅ 94%+ test coverage with reorganized specs
+
+## Version 3.x (Maintenance)
+- Rename master branch to main (v3.0.1 or v3.1)
+- Test gem autopublishing workflow
+- Bug fixes as needed
+- Maintain compatibility with new Ruby/Rails releases
+- No new features planned - focus on stability
+
+## Version 4.0.0 (Future - Aligned with Vulcan Rewrite)
+### Breaking Changes
+- Drop Ruby 2.7 support (already EOL as of March 2023)
+- Remove deprecated `use_yaml_unsafe_load` flag
+- Minimum Ruby version: 3.0+ (or higher based on adoption)
+
+### Goals
+- Simplify codebase by removing legacy compatibility code
+- Maintain as a simple, focused settings gem
+- Ensure compatibility with Ruby 3.4+ for the long term
+
+## Maintenance Philosophy
+This is a MITRE-maintained fork created specifically for Vulcan and other MITRE projects. We recognize that many in the Ruby community are moving to other configuration solutions, but settingslogic remains valuable for existing projects.
+
+Our focus:
+- Security and stability over features
+- Maintaining compatibility for existing users
+- Clear migration paths when changes are needed
+- No unnecessary complexity
+
+## Note
+Given the gem's maturity and decreasing usage in new projects, we don't anticipate significant feature development. This fork exists primarily to ensure MITRE projects using settingslogic can safely upgrade to modern Ruby and Rails versions.

data/SECURITY.md

@@ -0,0 +1,122 @@
+# Security Policy
+
+## Reporting Security Issues
+
+The MITRE team takes security seriously. If you discover a security vulnerability in the settingslogic fork, please report it responsibly.
+
+### Contact Information
+
+- **Email**: [saf-security@mitre.org](mailto:saf-security@mitre.org)
+- **GitHub**: Use the [Security tab](https://github.com/mitre/settingslogic/security) to report vulnerabilities privately
+- **Direct Contact**: lippold@gmail.com for urgent issues
+
+### What to Include
+
+When reporting security issues, please provide:
+
+1. **Description** of the vulnerability
+2. **Steps to reproduce** the issue
+3. **Affected versions** (Ruby version, settingslogic version)
+4. **Potential impact** assessment
+5. **Suggested fix** (if you have one)
+
+### Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Initial Assessment**: Within 1 week
+- **Fix Timeline**: Depends on severity
+  - Critical: Within 1 week
+  - High: Within 2 weeks
+  - Medium: Within 1 month
+  - Low: Next release
+
+## Security Considerations
+
+### YAML Loading (v3.0.0+)
+
+This gem uses YAML for configuration files with secure defaults:
+
+- **Default**: Uses `YAML.safe_load` to prevent arbitrary code execution
+- **Permitted classes**: `Symbol, Date, Time, DateTime, BigDecimal`
+- **Customizable**: Add your own classes via `Settingslogic.yaml_permitted_classes`
+- **YAML aliases**: Fully supported with `aliases: true` parameter
+
+**⚠️ Important**: Configuration files should be:
+- Stored in secure locations
+- Not user-uploadable
+- Protected with appropriate file permissions
+
+### ERB Processing
+
+Configuration files support ERB templates. This means:
+- Environment variables can be embedded
+- Ruby code can be executed during configuration loading
+
+**Best Practices**:
+```yaml
+# Good - using environment variables
+production:
+  secret_key: <%= ENV['SECRET_KEY_BASE'] %>
+  
+# Avoid - executing arbitrary code
+production:
+  value: <%= `whoami` %>  # Don't do this!
+```
+
+### File Access
+
+The gem can load configuration from:
+- Local files (recommended)
+- HTTP/HTTPS URLs (use with caution)
+
+For production environments, always use local files with proper permissions.
+
+## Supported Versions
+
+| Version | Ruby Versions | Supported          |
+| ------- | ------------- | ------------------ |
+| 3.0.x   | 2.7 - 3.4     | :white_check_mark: |
+| 2.0.x   | 1.9 - 2.6     | :x:                |
+
+## Security Enhancements in v3.0.0
+
+### Critical Security Fixes
+- **YAML deserialization security**: Replaced `YAML.unsafe_load` with `YAML.safe_load` to prevent arbitrary object instantiation (addresses CVE-2022-32224 pattern)
+- **Removed open-uri vulnerability**: Replaced `open-uri` with `Net::HTTP` to prevent SSRF attacks
+- **Protocol validation**: Explicitly blocks dangerous protocols (file://, ftp://, gopher://, etc.)
+- **Safe YAML loading**: Default permitted classes: Symbol, Date, Time, DateTime, BigDecimal
+- **Input sanitization**: Dynamic method names validated with `/^\w+$/` to prevent code injection
+
+### Security Features
+- **No automatic redirects**: HTTP client doesn't follow redirects automatically
+- **Controlled deserialization**: Prevents arbitrary object instantiation in YAML
+- **Proper error handling**: Security errors fail safely without exposing internals
+- **Comprehensive testing**: 18 security-specific test cases added
+
+### Known Security Issues
+
+#### Original Gem (2.0.9)
+- **CVE-2020-8287 (related)**: Uses vulnerable `open-uri` for URL loading
+- No Psych 4 support (Ruby 3.1+ compatibility issues)
+- Uses deprecated `YAML.load` without restrictions
+- No security updates since 2012
+
+#### This Fork (3.0.0+)
+- All known security issues have been addressed
+- Regular security audits via bundler-audit
+- Active maintenance by MITRE SAF team
+- Comprehensive security test coverage (94.63%)
+
+## Disclosure Policy
+
+We follow responsible disclosure:
+
+1. Security issues are fixed in private
+2. Patches are released with security advisories
+3. Credit is given to reporters (unless they prefer anonymity)
+
+## Additional Resources
+
+- [MITRE CVE Database](https://cve.mitre.org/)
+- [Ruby Security Advisories](https://www.ruby-lang.org/en/security/)
+- [Rails Security Guide](https://guides.rubyonrails.org/security.html)

data/lib/settingslogic/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Settingslogic < Hash
+  VERSION = '3.0.0'
+end

data/lib/settingslogic.rb

@@ -0,0 +1,360 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'erb'
+require 'date'
+require 'bigdecimal'
+
+# A simple settings solution using a YAML file. See README for more information.
+class Settingslogic < Hash
+  class MissingSetting < StandardError; end
+
+  class << self
+    def name # :nodoc:
+      superclass != Hash && instance.key?('name') ? instance.name : super
+    end
+
+    # Configure additional permitted classes for YAML deserialization
+    # Default: [Symbol, Date, Time, DateTime, BigDecimal]
+    # Example: Settingslogic.yaml_permitted_classes += [MyCustomClass]
+    def yaml_permitted_classes
+      @yaml_permitted_classes ||= [Symbol, Date, Time, DateTime, BigDecimal]
+    end
+
+    attr_writer :yaml_permitted_classes
+
+    # DEPRECATED: Temporarily allow unsafe YAML loading for backwards compatibility
+    # This option will be removed in v4.0.0
+    # WARNING: This enables arbitrary code execution vulnerabilities!
+    def use_yaml_unsafe_load=(value)
+      if value
+        warn '[DEPRECATION] Settingslogic.use_yaml_unsafe_load is deprecated and will be removed in v4.0.0. ' \
+             'Please migrate to using Settingslogic.yaml_permitted_classes instead.'
+      end
+      @use_yaml_unsafe_load = value
+    end
+
+    def use_yaml_unsafe_load
+      @use_yaml_unsafe_load ||= false
+    end
+
+    # Enables Settings.get('nested.key.name') for dynamic access
+    def get(key)
+      parts = key.split('.')
+      curs = self
+      while (p = parts.shift)
+        curs = curs.send(p)
+      end
+      curs
+    end
+
+    def source(value = nil)
+      @source ||= value
+    end
+
+    def namespace(value = nil)
+      @namespace ||= value
+    end
+
+    def suppress_errors(value = nil)
+      @suppress_errors ||= value
+    end
+
+    def [](key)
+      instance.fetch(key.to_s, nil)
+    end
+
+    def []=(key, val)
+      # Setting[:key][:key2] = 'value' for dynamic settings
+      val = new(val, source) if val.is_a? Hash
+      instance.store(key.to_s, val)
+      instance.create_accessor_for(key, val)
+    end
+
+    def load!
+      instance
+      true
+    end
+
+    def reload!
+      @instance = nil
+      load!
+    end
+
+    private
+
+    def instance
+      return @instance if @instance
+
+      @instance = new
+      create_accessors!
+      @instance
+    end
+
+    def method_missing(name, *args, &block)
+      instance.send(name, *args, &block)
+    end
+
+    # It would be great to DRY this up somehow, someday, but it's difficult because
+    # of the singleton pattern.  Basically this proxies Setting.foo to Setting.instance.foo
+    def create_accessors!
+      instance.each_key do |key|
+        create_accessor_for(key)
+      end
+    end
+
+    def create_accessor_for(key)
+      return unless /^\w+$/.match?(key.to_s) # could have "some-setting:" which blows up eval
+
+      instance_eval "def #{key}; instance.send(:#{key}); end", __FILE__, __LINE__
+    end
+  end
+
+  # Initializes a new settings object. You can initialize an object in any of the following ways:
+  #
+  #   Settings.new(:application) # will look for config/application.yml
+  #   Settings.new("application.yaml") # will look for application.yaml
+  #   Settings.new("/var/configs/application.yml") # will look for /var/configs/application.yml
+  #   Settings.new(:config1 => 1, :config2 => 2)
+  #
+  # Basically if you pass a symbol it will look for that file in the configs directory of your rails app,
+  # if you are using this in rails. If you pass a string it should be an absolute path to your settings file.
+  # Then you can pass a hash, and it just allows you to access the hash via methods.
+  def initialize(hash_or_file = self.class.source, section = nil)
+    # puts "new! #{hash_or_file}"
+    case hash_or_file
+    when nil
+      raise Errno::ENOENT, 'No file specified as Settingslogic source'
+    when Hash
+      replace hash_or_file
+    else
+      file_contents = read_file(hash_or_file)
+      hash = file_contents.empty? ? {} : parse_yaml_content(file_contents)
+      if self.class.namespace
+        hash = hash[self.class.namespace] or
+          return missing_key("Missing setting '#{self.class.namespace}' in #{hash_or_file}")
+      end
+
+      replace hash
+    end
+    @section = section || self.class.source # so end of error says "in application.yml"
+    create_accessors!
+  end
+
+  # Called for dynamically-defined keys, and also the first key deferenced at the top-level, if load! is not used.
+  # Otherwise, create_accessors! (called by new) will have created actual methods for each key.
+  def method_missing(name, *_args)
+    key = name.to_s
+    return missing_key("Missing setting '#{key}' in #{@section}") unless key? key
+
+    value = fetch(key)
+    create_accessor_for(key)
+    value.is_a?(Hash) ? self.class.new(value, "'#{key}' section in #{@section}") : value
+  end
+
+  def [](key)
+    fetch(key.to_s, nil)
+  end
+
+  def []=(key, val)
+    # Setting[:key][:key2] = 'value' for dynamic settings
+    val = self.class.new(val, @section) if val.is_a? Hash
+    store(key.to_s, val)
+    create_accessor_for(key, val)
+  end
+
+  # Returns an instance of a Hash object
+  def to_hash
+    to_h
+  end
+
+  # Prevents Array#flatten from trying to expand Settings objects
+  # This fixes RSpec issues when Settings objects are included in arrays
+  def to_ary
+    nil
+  end
+
+  # This handles naming collisions with Sinatra/Vlad/Capistrano. Since these use a set()
+  # helper that defines methods in Object, ANY method_missing ANYWHERE picks up the Vlad/Sinatra
+  # settings!  So settings.deploy_to title actually calls Object.deploy_to (from set :deploy_to, "host"),
+  # rather than the app_yml['deploy_to'] hash.  Jeezus.
+  def create_accessors!
+    each do |key, _val|
+      create_accessor_for(key)
+    end
+  end
+
+  # Use instance_eval/class_eval because they're actually more efficient than define_method{}
+  # http://stackoverflow.com/questions/185947/ruby-definemethod-vs-def
+  # http://bmorearty.wordpress.com/2009/01/09/fun-with-rubys-instance_eval-and-class_eval/
+  def create_accessor_for(key, val = nil)
+    return unless /^\w+$/.match?(key.to_s) # could have "some-setting:" which blows up eval
+
+    instance_variable_set("@#{key}", val)
+    self.class.class_eval <<-ENDEVAL, __FILE__, __LINE__ + 1
+      def #{key}
+        return @#{key} if @#{key}
+        return missing_key("Missing setting '#{key}' in #{@section}") unless key? '#{key}'
+        value = fetch('#{key}')
+        @#{key} = if value.is_a?(Hash)
+          self.class.new(value, "'#{key}' section in #{@section}")
+        elsif value.is_a?(Array) && value.all?{|v| v.is_a? Hash}
+          value.map{|v| self.class.new(v)}
+        else
+          value
+        end
+      end
+    ENDEVAL
+  end
+
+  # Convert all keys to symbols recursively
+  def symbolize_keys
+    each_with_object({}) do |(key, value), memo|
+      k = begin
+        key.to_sym
+      rescue StandardError
+        key
+      end
+      # Access the value properly through the accessor method
+      v = respond_to?(key) ? send(key) : value
+      # Recursively symbolize nested hashes
+      memo[k] = if v.is_a?(self.class)
+                  v.symbolize_keys
+                elsif v.respond_to?(:symbolize_keys)
+                  v.symbolize_keys
+                else
+                  v
+                end
+    end
+  end
+
+  # Convert all keys to strings recursively (Rails compatibility)
+  def stringify_keys
+    each_with_object({}) do |(key, value), memo|
+      k = key.to_s
+      v = begin
+        send(key)
+      rescue StandardError
+        value
+      end
+      memo[k] = v.respond_to?(:stringify_keys) ? v.stringify_keys : v
+    end
+  end
+
+  # Deep merge settings (useful for overrides)
+  def deep_merge(other_hash)
+    self.class.new(deep_merge_hash(to_hash, other_hash))
+  end
+
+  # Deep merge in place
+  def deep_merge!(other_hash)
+    replace(deep_merge_hash(to_hash, other_hash))
+  end
+
+  private
+
+  # Helper for deep merging
+  def deep_merge_hash(hash, other_hash)
+    hash.merge(other_hash) do |_key, old_val, new_val|
+      if old_val.is_a?(Hash) && new_val.is_a?(Hash)
+        deep_merge_hash(old_val, new_val)
+      else
+        new_val
+      end
+    end
+  end
+
+  def missing_key(msg)
+    return nil if self.class.suppress_errors
+
+    raise MissingSetting, msg
+  end
+
+  # Parse YAML content with Psych 4 / Ruby 3.1+ compatibility
+  # Handles YAML aliases which are disabled by default in Psych 4
+  def parse_yaml_content(file_content)
+    erb_result = ERB.new(file_content).result
+
+    # Check if unsafe loading is enabled (deprecated)
+    if self.class.use_yaml_unsafe_load
+      # Use the old unsafe behavior (security risk!)
+      if YAML.respond_to?(:unsafe_load)
+        # unsafe_load doesn't take aliases parameter, it allows them by default
+        YAML.unsafe_load(erb_result).to_hash
+      else
+        # Fallback to regular load for older Ruby versions
+        YAML.load(erb_result).to_hash # rubocop:disable Security/YAMLLoad
+      end
+    else
+      # Use safe_load for security (recommended)
+      permitted_classes = self.class.yaml_permitted_classes
+
+      begin
+        if YAML.respond_to?(:safe_load)
+          # Try with modern safe_load signature (Ruby 2.6+)
+          YAML.safe_load(erb_result, permitted_classes: permitted_classes, aliases: true).to_hash
+        else
+          # Fallback for older Ruby versions
+          YAML.safe_load(erb_result, permitted_classes, [], true).to_hash
+        end
+      rescue ArgumentError => e
+        # Handle older safe_load signature (Ruby 2.5 and earlier)
+        raise e unless e.message.include?('unknown keyword') || e.message.include?('wrong number of arguments')
+
+        # Old signature: safe_load(yaml, whitelist_classes, whitelist_symbols, aliases)
+        YAML.safe_load(erb_result, permitted_classes, [], true).to_hash
+      end
+    end
+  rescue Psych::DisallowedClass => e
+    # Extract class name from error message
+    class_name = e.message[/Tried to load unspecified class: (.+)/, 1] || e.message
+
+    # Provide helpful error message with migration instructions
+    raise MissingSetting, "YAML file contains disallowed class: #{class_name}\n\n" \
+                          "To fix this, you have two options:\n" \
+                          "1. Add the class to permitted classes:\n   " \
+                          "Settingslogic.yaml_permitted_classes += [#{class_name}]\n" \
+                          "2. (NOT RECOMMENDED) Temporarily use unsafe loading:\n   " \
+                          "Settingslogic.use_yaml_unsafe_load = true\n\n" \
+                          "Current permitted classes: #{self.class.yaml_permitted_classes.inspect}"
+  rescue Psych::BadAlias => e
+    # This shouldn't happen with aliases: true, but handle it just in case
+    raise MissingSetting, "YAML file contains aliases but they could not be processed. " \
+                          "Error: #{e.message}"
+  end
+
+  # Read file contents handling both local files and URIs
+  # Uses Net::HTTP for security instead of open-uri
+  def read_file(source)
+    source_str = source.to_s
+
+    # Check for dangerous protocols first
+    if source_str.match?(%r{\A(file|ftp|gopher|ldap|dict|tftp|sftp)://}i)
+      raise ArgumentError, "Invalid URL protocol: #{source}"
+    end
+
+    if source_str.match?(%r{\Ahttps?://}i)
+      # For HTTP/HTTPS URLs, use Net::HTTP which is more secure
+      require 'net/http'
+      require 'uri'
+
+      uri = URI.parse(source_str)
+
+      # Security: validate the URI
+      raise ArgumentError, "Invalid URL: #{source}" unless uri.is_a?(URI::HTTP)
+
+      # Use Net::HTTP with proper error handling
+      response = Net::HTTP.get_response(uri)
+
+      case response
+      when Net::HTTPSuccess
+        response.body
+      else
+        raise "Failed to fetch #{source}: #{response.code} #{response.message}"
+      end
+    else
+      # For local files, use File.read which is more efficient
+      File.read(source_str)
+    end
+  end
+end

metadata

@@ -0,0 +1,172 @@
+--- !ruby/object:Gem::Specification
+name: mitre-settingslogic
+version: !ruby/object:Gem::Version
+  version: 3.0.0
+platform: ruby
+authors:
+- Ben Johnson
+- MITRE SAF Team
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-08-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bigdecimal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.2'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.65'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.65'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+description: A simple and straightforward settings solution that uses an ERB enabled
+  YAML file and a singleton design pattern. This is a MITRE-maintained fork with Ruby
+  3.x and Rails 7.x compatibility.
+email:
+- saf@mitre.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTING.md
+- LICENSE.md
+- README.md
+- ROADMAP.md
+- SECURITY.md
+- lib/settingslogic.rb
+- lib/settingslogic/version.rb
+homepage: https://github.com/mitre/settingslogic
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/mitre/settingslogic
+  source_code_uri: https://github.com/mitre/settingslogic
+  changelog_uri: https://github.com/mitre/settingslogic/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/mitre/settingslogic/issues
+  documentation_uri: https://www.rubydoc.info/gems/settingslogic
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.27
+signing_key:
+specification_version: 4
+summary: A simple settings solution using YAML and a singleton pattern
+test_files: []