safe_parser 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +7 -0
  2. data/History.txt +5 -0
  3. data/Manifest.txt +6 -0
  4. data/README.txt +74 -0
  5. data/Rakefile +13 -0
  6. data/lib/safe_parser.rb +46 -0
  7. data/test/test_safe_parser.rb +97 -0
  8. metadata +113 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 4dec86a0cbf3ff35e64fa2fd8444a98221cfac57
4
+ data.tar.gz: 857a5b7591c5ea6c9c923158c721bb5b5b8eab67
5
+ SHA512:
6
+ metadata.gz: a1f3cc4730f09e8c9581e957e317c9965597df0c18d01c82f192238f57acd60491fdffb306bc816e98248d6abcd9166265d2fba9fb5bd0aa6a6074f39acae9f7
7
+ data.tar.gz: d48802e12b0321116353e2a9a4bf06b1eb5cdcadbbafd7976ed6cca2d9bbf833c384c8c2a56e90eb239b582286dff8ed574a8fd369fc8487d0b26dc5c6da818c
data/History.txt ADDED
@@ -0,0 +1,5 @@
1
+ === 0.0.1 / 2017-03-29
2
+
3
+ * Initial implementation
4
+
5
+ The whitelist based implementation only loads the classes Psych::safe_load loads.
data/Manifest.txt ADDED
@@ -0,0 +1,6 @@
1
+ History.txt
2
+ Manifest.txt
3
+ README.txt
4
+ Rakefile
5
+ lib/safe_parser.rb
6
+ test/test_safe_parser.rb
data/README.txt ADDED
@@ -0,0 +1,74 @@
1
+ = blah
2
+
3
+ home :: https://github.com/bibstha/ruby_hash_parser
4
+ code :: https://github.com/bibstha/ruby_hash_parser
5
+ bugs :: https://github.com/bibstha/ruby_hash_parser
6
+ ... etc ...
7
+
8
+ == DESCRIPTION:
9
+
10
+ Parses a hash string of the format `'{ :a => "something" }'` into an actual ruby hash object `{ a: "something" }`.
11
+ This is useful when you by mistake serialize hashes and save it in database column or a text file and you want to
12
+ convert them back to hashes without the security issues of executing `eval(hash_string)`.
13
+
14
+ By default only following classes are allowed to be deserialized:
15
+
16
+ * TrueClass
17
+ * FalseClass
18
+ * NilClass
19
+ * Numeric
20
+ * String
21
+ * Array
22
+ * Hash
23
+
24
+ A HashParser::BadHash exception is thrown if unserializable values are present.
25
+
26
+ == FEATURES/PROBLEMS:
27
+
28
+ * Any potential security issues?
29
+
30
+ == INSTALL:
31
+
32
+ * Add to Gemfile: `gem 'hash_parser'`
33
+
34
+ == DEVELOPERS:
35
+
36
+ require 'hash_parser'
37
+
38
+ # This successfully parses the hash
39
+ a = "{ :key_a => { :key_1a => 'value_1a', :key_2a => 'value_2a' },
40
+ :key_b => { :key_1b => 'value_1b' } }"
41
+ p HashParser.new.safe_load(a)
42
+
43
+ # This throws a HashParser::BadHash exception
44
+ a = "{ :key_a => system('ls') }"
45
+ p HashParser.new.safe_load(a)
46
+
47
+ == TODO:
48
+
49
+ * Allow objects of certain types to be deserialized
50
+
51
+ == LICENSE:
52
+
53
+ (The MIT License)
54
+
55
+ Copyright (c) 2017 FIX
56
+
57
+ Permission is hereby granted, free of charge, to any person obtaining
58
+ a copy of this software and associated documentation files (the
59
+ 'Software'), to deal in the Software without restriction, including
60
+ without limitation the rights to use, copy, modify, merge, publish,
61
+ distribute, sublicense, and/or sell copies of the Software, and to
62
+ permit persons to whom the Software is furnished to do so, subject to
63
+ the following conditions:
64
+
65
+ The above copyright notice and this permission notice shall be
66
+ included in all copies or substantial portions of the Software.
67
+
68
+ THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
69
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
70
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
71
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
72
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
73
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
74
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/Rakefile ADDED
@@ -0,0 +1,13 @@
1
+ # -*- ruby -*-
2
+
3
+ require 'hoe'
4
+
5
+ Hoe.spec 'safe_parser' do
6
+ developer 'Bibek Shrestha', 'bibekshrestha@gmail.com'
7
+
8
+ license "MIT"
9
+
10
+ dependency "ruby_parser", "~> 3.8.4"
11
+ end
12
+
13
+ # vim: syntax=ruby
data/lib/safe_parser.rb ADDED
@@ -0,0 +1,46 @@
1
+ require "ruby_parser"
2
+
3
+ # Whiltelist based hash string parser
4
+ class SafeParser
5
+ VERSION = "1.0.0"
6
+
7
+ UnsafeError = Class.new(StandardError)
8
+ attr_reader :string
9
+
10
+ def initialize(string)
11
+ @string = string
12
+ end
13
+
14
+ def safe_load
15
+ parse(root_expression)
16
+ end
17
+
18
+ private
19
+
20
+ def parse(expression)
21
+ case expression.head
22
+ when :hash
23
+ Hash[*parse_into_array(expression.values)]
24
+ when :array
25
+ parse_into_array(expression.values)
26
+ when :true
27
+ true
28
+ when :false
29
+ false
30
+ when :nil
31
+ nil
32
+ when :lit, :str
33
+ expression.value
34
+ else
35
+ raise UnsafeError, "#{ string } is a bad hash"
36
+ end
37
+ end
38
+
39
+ def root_expression
40
+ @root_expression ||= RubyParser.new.parse(string)
41
+ end
42
+
43
+ def parse_into_array(expression)
44
+ expression.map { |child_expression| parse(child_expression) }
45
+ end
46
+ end
data/test/test_safe_parser.rb ADDED
@@ -0,0 +1,97 @@
1
+ require "minitest/autorun"
2
+ require "minitest/spec"
3
+ require "minitest/pride"
4
+ require "safe_parser"
5
+
6
+ describe SafeParser do
7
+ describe "#safe_load" do
8
+ it "fails if it is not a hash" do
9
+ strs = ["Book.delete_all", "puts 'hello'", '"#{puts 123}"', "system('ls /')"]
10
+ strs.each do |bad_str|
11
+ assert_raises SafeParser::UnsafeError, "#{ bad_str } should not be safe" do
12
+ SafeParser.new(bad_str).safe_load
13
+ end
14
+ end
15
+ end
16
+
17
+ it "fails if there are more than one expression" do
18
+ strs = ["{ :a => 1 }; 'hello'", "{ :a => 1 }\n{ :b => 2 }"]
19
+ strs.each do |bad_str|
20
+ assert_raises SafeParser::UnsafeError, "#{ bad_str } should not be safe" do
21
+ SafeParser.new(bad_str).safe_load
22
+ end
23
+ end
24
+ end
25
+
26
+ it "Does not define or redefine any methods" do
27
+ str = '{ :a => refine(UnsafeError) { def safe?; "HAHAHA"; end } }'
28
+ assert_raises SafeParser::UnsafeError, "#{ str } should not be safe" do
29
+ SafeParser.new(str).safe_load
30
+ end
31
+
32
+ str = '{ :a => def SafeParser.safe?; "HAHAHA"; end }'
33
+ assert_raises SafeParser::UnsafeError, "#{ str } should not be safe" do
34
+ SafeParser.new(str).safe_load
35
+ end
36
+ end
37
+
38
+ it "fails if it has assignment" do
39
+ strs = ['{ :a => (SafeParser::TEST_CONSTANT = 1) }',
40
+ '{ :a => (hello_world = 1) }']
41
+ strs.each do |str|
42
+ assert_raises SafeParser::UnsafeError, "#{ str } should not be safe" do
43
+ SafeParser.new(str).safe_load
44
+ end
45
+ end
46
+ end
47
+
48
+ it "fails if a hash has a method call" do
49
+ strs = ["{ :a => 2 * 2 }",
50
+ "{ :a => SOME_CONST }",
51
+ "{ :a => system('ls /') }",
52
+ "{ :a => Book.delete_all }",
53
+ '{ :a => "#{500}" }',
54
+ '{ :a => "#{ Book.delete_all }" }',
55
+ '{ :a => refine(UnsafeError) { def safe?; "HAHAHA"; end } }',
56
+ ]
57
+ strs.each do |bad_str|
58
+ assert_raises SafeParser::UnsafeError, "#{ bad_str } should not be safe" do
59
+ SafeParser.new(bad_str).safe_load
60
+ end
61
+ end
62
+ end
63
+
64
+ it "passes for hashes" do
65
+ strs = ["{}", '{ "a" => "A" }', '{ :a => 123 }', '{ :a => true, :b => false, :c => true, "d" => nil }']
66
+ parsed = [{}, { "a" => "A" }, { a: 123 }, { a: true, b: false, c: true, "d" => nil }]
67
+ strs.each.with_index do |good_str, i|
68
+ assert_equal parsed[i], SafeParser.new(good_str).safe_load, "#{ good_str } should be safe"
69
+ end
70
+ end
71
+
72
+ it "passes for hashes with sub hashes" do
73
+ str = '{ :a => [1, 2, { "x" => "y" }] }'
74
+ parsed = { a: [1, 2, { "x" => "y" }] }
75
+ assert_equal parsed, SafeParser.new(str).safe_load
76
+ end
77
+
78
+ it "passes for simple literals" do
79
+ strs = ["1", "'a string'", ":a_symbol", "false", "true", "12.34"]
80
+ parsed = [1, "a string", :a_symbol, false, true, 12.34]
81
+ strs.each.with_index do |good_str, i|
82
+ assert_equal parsed[i], SafeParser.new(good_str).safe_load, "#{ good_str } should be safe"
83
+ end
84
+
85
+ assert_nil SafeParser.new("nil").safe_load, "The string 'nil' should be safe"
86
+ end
87
+
88
+ it "passes for a complex array" do
89
+ strs = ["[]", "['a_string', :a_symbol, true, false, nil, 1_234_567, 12.34]", "[[123], { a: 1, \"b\" => 2}]"]
90
+ parsed = [[], ['a_string', :a_symbol, true, false, nil, 1_234_567, 12.34], [[123], { a: 1, "b" => 2}]]
91
+ strs.each.with_index do |good_str, i|
92
+ assert_equal parsed[i], SafeParser.new(good_str).safe_load, "#{ good_str } should be safe"
93
+ end
94
+ end
95
+ end
96
+ end
97
+
metadata ADDED
@@ -0,0 +1,113 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: safe_parser
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Bibek Shrestha
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2017-03-31 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: ruby_parser
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: 3.8.4
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: 3.8.4
27
+ - !ruby/object:Gem::Dependency
28
+ name: rdoc
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '4.0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '4.0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: hoe
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '3.16'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '3.16'
55
+ description: |-
56
+ Parses a hash string of the format `'{ :a => "something" }'` into an actual ruby hash object `{ a: "something" }`.
57
+ This is useful when you by mistake serialize hashes and save it in database column or a text file and you want to
58
+ convert them back to hashes without the security issues of executing `eval(hash_string)`.
59
+
60
+ By default only following classes are allowed to be deserialized:
61
+
62
+ * TrueClass
63
+ * FalseClass
64
+ * NilClass
65
+ * Numeric
66
+ * String
67
+ * Array
68
+ * Hash
69
+
70
+ A HashParser::BadHash exception is thrown if unserializable values are present.
71
+ email:
72
+ - bibekshrestha@gmail.com
73
+ executables: []
74
+ extensions: []
75
+ extra_rdoc_files:
76
+ - History.txt
77
+ - Manifest.txt
78
+ - README.txt
79
+ files:
80
+ - History.txt
81
+ - Manifest.txt
82
+ - README.txt
83
+ - Rakefile
84
+ - lib/safe_parser.rb
85
+ - test/test_safe_parser.rb
86
+ homepage: https://github.com/bibstha/ruby_hash_parser
87
+ licenses:
88
+ - MIT
89
+ metadata: {}
90
+ post_install_message:
91
+ rdoc_options:
92
+ - "--main"
93
+ - README.txt
94
+ require_paths:
95
+ - lib
96
+ required_ruby_version: !ruby/object:Gem::Requirement
97
+ requirements:
98
+ - - ">="
99
+ - !ruby/object:Gem::Version
100
+ version: '0'
101
+ required_rubygems_version: !ruby/object:Gem::Requirement
102
+ requirements:
103
+ - - ">="
104
+ - !ruby/object:Gem::Version
105
+ version: '0'
106
+ requirements: []
107
+ rubyforge_project:
108
+ rubygems_version: 2.6.10
109
+ signing_key:
110
+ specification_version: 4
111
+ summary: 'Parses a hash string of the format `''{ :a => "something" }''` into an actual
112
+ ruby hash object `{ a: "something" }`'
113
+ test_files: []