safe_yaml-instructure 0.8.0

data/spec/spec_helper.rb

@@ -0,0 +1,15 @@
+HERE = File.dirname(__FILE__) unless defined?(HERE)
+ROOT = File.join(HERE, "..") unless defined?(ROOT)
+
+$LOAD_PATH << File.join(ROOT, "lib")
+$LOAD_PATH << File.join(HERE, "support")
+
+if ENV["YAMLER"] && defined?(YAML::ENGINE)
+  require "yaml"
+  YAML::ENGINE.yamler = ENV["YAMLER"]
+  puts "Running specs in Ruby #{RUBY_VERSION} with '#{YAML::ENGINE.yamler}' YAML engine."
+end
+
+require "safe_yaml"
+require "hashie"
+require "heredoc_unindent"

data/spec/support/exploitable_back_door.rb

@@ -0,0 +1,29 @@
+class ExploitableBackDoor
+  def exploited?
+    @exploited_through_setter || @exploited_through_init_with || @exploited_through_ivars
+  end
+
+  def exploited_through_setter?
+    @exploited_through_setter
+  end
+
+  def exploited_through_init_with?
+    @exploited_through_init_with
+  end
+
+  def exploited_through_ivars?
+    self.instance_variables.any?
+  end
+
+  def init_with(command)
+    # Note: this is how bad this COULD be.
+    # system("#{command}")
+    @exploited_through_init_with = true
+  end
+
+  def []=(command, arguments)
+    # Note: this is how bad this COULD be.
+    # system("#{command} #{arguments}")
+    @exploited_through_setter = true
+  end
+end

data/spec/whitelist_spec.rb

@@ -0,0 +1,46 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+describe SafeYAML::Whitelist do
+  let(:whitelist) { SafeYAML::Whitelist.new }
+
+  it "should start with the default whitelist" do
+    whitelist.allowed.size.should > 0
+  end
+
+  it "should allow inserting and deleting tags" do
+    whitelist.check('test1', nil).should == nil
+    whitelist.add('test1')
+    whitelist.check('test1', nil).should == :cacheable
+    whitelist.remove('test1')
+    whitelist.check('test1', nil).should == nil
+  end
+
+  it "should allow using a block" do
+    whitelist.add('test1') { |val| val == 'ok' }
+    whitelist.check('test1', 'bad').should == nil
+    whitelist.check('test1', 'ok').should == :allowed
+    whitelist.check('test1', 'bad').should == nil
+    whitelist.remove('test1')
+    whitelist.check('test1', 'ok').should == nil
+  end
+
+  it "overwrites on second add" do
+    whitelist.add('test1') { |val| val == 'ok' }
+    whitelist.add('test1') { |val| val == 'second' }
+    whitelist.check('test1', 'ok').should == nil
+    whitelist.check('test1', 'second').should == :allowed
+  end
+
+  it "should allow caching the block response" do
+    counter = 0
+    whitelist.add('test1') { |val| val == 'ok' && (counter += 1) && :cacheable }
+    whitelist.check('test1', 'bad').should == nil
+    whitelist.check('test1', 'ok').should == :cacheable
+    whitelist.check('test1', 'bad').should == nil
+    whitelist.check('test1', 'ok').should == :cacheable
+    whitelist.check('test1', 'ok').should == :cacheable
+    counter.should == 1
+    whitelist.remove('test1')
+    whitelist.check('test1', 'ok').should == nil
+  end
+end

data/spec/yaml_load_spec.rb

@@ -0,0 +1,150 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+describe "safe_load" do
+  let(:result) { @result }
+  def parse(yaml)
+    @result = YAML.load(yaml.unindent)
+  end
+
+  before :each do
+    YAML.disable_symbol_parsing!
+    SafeYAML::OPTIONS[:suppress_warnings] = true
+  end
+
+  context "by default" do
+    it "translates maps to hashes" do
+      parse <<-YAML
+        potayto: potahto
+        tomayto: tomahto
+      YAML
+
+      result.should == {
+        "potayto" => "potahto",
+        "tomayto" => "tomahto"
+      }
+    end
+
+    it "translates sequences to arrays" do
+      parse <<-YAML
+        - foo
+        - bar
+        - baz
+      YAML
+
+      result.should == ["foo", "bar", "baz"]
+    end
+
+    it "translates most values to strings" do
+      parse "string: value"
+      result.should == { "string" => "value" }
+    end
+
+    it "does not deserialize symbols" do
+      expect { parse ":symbol: value" }.to raise_error(SafeYAML::UnsafeTagError)
+    end
+
+    it "translates valid integral numbers to integers" do
+      parse "integer: 1"
+      result.should == { "integer" => 1 }
+    end
+
+    it "translates valid decimal numbers to floats" do
+      parse "float: 3.14"
+      result.should == { "float" => 3.14 }
+    end
+
+    it "translates valid dates" do
+      parse "date: 2013-01-24"
+      result.should == { "date" => Date.parse("2013-01-24") }
+    end
+
+    it "translates valid true/false values to booleans" do
+      parse <<-YAML
+        - yes
+        - true
+        - no
+        - false
+      YAML
+
+      result.should == [true, true, false, false]
+    end
+
+    it "translates valid nulls to nil" do
+      parse <<-YAML
+        - 
+        - ~
+        - null
+      YAML
+
+      result.should == [nil] * 3
+    end
+
+    it "translates quoted empty strings to strings (not nil)" do
+      parse "foo: ''"
+      result.should == { "foo" => "" }
+    end
+
+    it "correctly reverse-translates strings encoded via #to_yaml" do
+      parse "5.10".to_yaml
+      result.should == "5.10"
+    end
+
+    it "does not treat quoted strings as symbols" do
+      parse <<-YAML
+        - ":abcd"
+        - ':abcd'
+      YAML
+
+      result.should == [":abcd", ":abcd"]
+    end
+
+    it "deals just fine with nested maps" do
+      parse <<-YAML
+        foo:
+          bar:
+            marco: polo
+      YAML
+
+      result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
+    end
+
+    it "deals just fine with nested sequences" do
+      parse <<-YAML
+        - foo
+        -
+          - bar1
+          - bar2
+          -
+            - baz1
+            - baz2
+      YAML
+
+      result.should == ["foo", ["bar1", "bar2", ["baz1", "baz2"]]]
+    end
+  end
+
+  context "with symbol parsing enabled" do
+    before :each do
+      YAML.enable_symbol_parsing!
+    end
+
+    after :each do
+      YAML.disable_symbol_parsing!
+    end
+
+    it "translates values starting with ':' to symbols" do
+      parse "symbol: :value"
+      result.should == { "symbol" => :value }
+    end
+
+    it "applies the same transformation to keys" do
+      parse ":bar: symbol"
+      result.should == { :bar  => "symbol" }
+    end
+
+    it "applies the same transformation to elements in sequences" do
+      parse "- :bar"
+      result.should == [:bar]
+    end
+  end
+end

metadata

@@ -0,0 +1,166 @@
+--- !ruby/object:Gem::Specification 
+name: safe_yaml-instructure
+version: !ruby/object:Gem::Version 
+  hash: 63
+  prerelease: 
+  segments: 
+  - 0
+  - 8
+  - 0
+  version: 0.8.0
+platform: ruby
+authors: 
+- Dan Tao
+- Brian Palmer
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2013-02-15 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: hashie
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: heredoc_unindent
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rake
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: travis-lint
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id005
+description: Parse YAML safely, without that pesky arbitrary object deserialization vulnerability
+email: brianp@instructure.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/safe_yaml.rb
+- lib/safe_yaml/psych_tag_verifier.rb
+- lib/safe_yaml/syck_tag_verifier.rb
+- lib/safe_yaml/tag_verifier.rb
+- lib/safe_yaml/version.rb
+- lib/safe_yaml/whitelist.rb
+- run_specs_all_ruby_versions.sh
+- safe_yaml.gemspec
+- spec/exploit.1.9.2.yaml
+- spec/exploit.1.9.3.yaml
+- spec/ok.yaml
+- spec/safe_yaml_spec.rb
+- spec/spec_helper.rb
+- spec/support/exploitable_back_door.rb
+- spec/whitelist_spec.rb
+- spec/yaml_load_spec.rb
+homepage: http://github.com/instructure/safe_yaml/
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 57
+      segments: 
+      - 1
+      - 8
+      - 7
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
+test_files: 
+- spec/exploit.1.9.2.yaml
+- spec/exploit.1.9.3.yaml
+- spec/ok.yaml
+- spec/safe_yaml_spec.rb
+- spec/spec_helper.rb
+- spec/support/exploitable_back_door.rb
+- spec/whitelist_spec.rb
+- spec/yaml_load_spec.rb
+has_rdoc: