safe_yaml 0.1

data/Gemfile

@@ -0,0 +1,9 @@
+source :rubygems
+
+gemspec
+
+group :development do
+  gem "heredoc_unindent"
+  gem "rake"
+  gem "rspec"
+end

data/Gemfile.lock

@@ -0,0 +1,28 @@
+PATH
+  remote: .
+  specs:
+    safe_yaml (0.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.1.3)
+    heredoc_unindent (1.1.2)
+    rake (10.0.3)
+    rspec (2.12.0)
+      rspec-core (~> 2.12.0)
+      rspec-expectations (~> 2.12.0)
+      rspec-mocks (~> 2.12.0)
+    rspec-core (2.12.2)
+    rspec-expectations (2.12.1)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.12.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  heredoc_unindent
+  rake
+  rspec
+  safe_yaml!

data/Rakefile

@@ -0,0 +1,6 @@
+require "rspec/core/rake_task"
+
+desc "Run specs"
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.rspec_opts = %w(--color --format d)
+end

data/lib/handler.rb

@@ -0,0 +1,86 @@
+require "yaml"
+
+module SafeYAML
+  class Handler < Psych::Handler
+    def initialize
+      @stack = []
+    end
+
+    def result
+      @result
+    end
+
+    def add_to_current_structure(value)
+      if @result.nil?
+        @result = value
+        @current_structure = @result
+        return
+      end
+
+      case @current_structure
+      when Array
+        @current_structure.push(transform_value(value))
+
+      when Hash
+        if @current_key.nil?
+          @current_key = transform_value(value)
+        else
+          @current_structure[@current_key] = transform_value(value)
+          @current_key = nil
+        end
+
+      else
+        raise "Don't know how to add to a #{@current_structure.class}!"
+      end
+    end
+
+    def transform_value(value)
+      if value.is_a?(String)
+        if value.match(/^:\w+$/)
+          return value[1..-1].to_sym
+
+        elsif value.match(/^\d+$/)
+          return value.to_i
+
+        elsif value.match(/^\d+(?:\.\d*)?$/) || value.match(/^\.\d+$/)
+          return value.to_f
+        end
+      end
+
+      value
+    end
+
+    def streaming?
+      false
+    end
+
+    # event handlers
+    def scalar(value, anchor, tag, plain, quoted, style)
+      add_to_current_structure(value)
+    end
+
+    def start_mapping(*args) # anchor, tag, implicit, style
+      map = {}
+      self.add_to_current_structure(map)
+      @current_structure = map
+      @stack.push(map)
+    end
+
+    def end_mapping
+      @stack.pop
+      @current_structure = @stack.last
+    end
+
+    def start_sequence(*args) # anchor, tag, implicit, style
+      seq = []
+      self.add_to_current_structure(seq)
+      @current_structure = seq
+      @stack.push(seq)
+    end
+
+    def end_sequence
+      @stack.pop
+      @current_structure = @stack.last
+    end
+  end
+end

data/lib/safe_yaml.rb

@@ -0,0 +1,10 @@
+require "yaml"
+require "handler"
+
+module YAML
+  def self.safe_load(yaml)
+    safe_handler = SafeYAML::Handler.new
+    Psych::Parser.new(safe_handler).parse(yaml)
+    return safe_handler.result
+  end
+end

data/lib/version.rb

@@ -0,0 +1,3 @@
+module SafeYAML
+  VERSION = "0.1"
+end

data/safe_yaml.gemspec

@@ -0,0 +1,16 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path("../lib/version", __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.name          = "safe_yaml"
+  gem.authors       = ["Dan Tao"]
+  gem.email         = ["daniel.tao@gmail.com"]
+  gem.description   = %q{Parse (simple) YAML safely, without that pesky arbitrary code execution vulnerability.}
+  gem.summary       = %q{SameYAML adds a ::safe_load method to Ruby's built-in YAML module to parse YAML data for only basic types (strings, symbols, numbers, arrays, and hashes).}
+  gem.homepage      = "http://dtao.github.com/safe_yaml/"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.test_files    = gem.files.grep(%r{^spec/})
+  gem.require_paths = ["lib"]
+  gem.version       = SafeYAML::VERSION
+end

data/spec/handler_spec.rb

@@ -0,0 +1,108 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+require "handler"
+
+describe SafeYAML::Handler do
+  let(:handler) { SafeYAML::Handler.new }
+  let(:parser) { Psych::Parser.new(handler) }
+  let(:result) { handler.result }
+
+  def parse(yaml)
+    parser.parse(yaml.unindent)
+  end
+
+  it "translates most values to strings" do
+    parser.parse "key: value"
+    result.should == { "key" => "value" }
+  end
+
+  it "translates values starting with ':' to symbols" do
+    parser.parse ":key: value"
+    result.should == { :key => "value" }
+  end
+
+  it "translates valid integral numbers to integers" do
+    parser.parse "integer: 1"
+    result.should == { "integer" => 1 }
+  end
+
+  it "translates valid decimal numbers to floats" do
+    parser.parse "float: 3.14"
+    result.should == { "float" => 3.14 }
+  end
+
+  it "applies the same transformations to values as to keys" do
+    parse <<-YAML
+      string: value
+      symbol: :value
+      integer: 1
+      float: 3.14
+    YAML
+
+    result.should == {
+      "string" => "value",
+      "symbol" => :value,
+      "integer" => 1,
+      "float" => 3.14
+    }
+  end
+
+  it "translates sequences to arrays" do
+    parse <<-YAML
+      - foo
+      - bar
+      - baz
+    YAML
+
+    result.should == ["foo", "bar", "baz"]
+  end
+
+  it "applies the same transformations to elements in sequences as to all values" do
+    parse <<-YAML
+      - string
+      - :symbol
+      - 1
+      - 3.14
+    YAML
+
+    result.should == ["string", :symbol, 1, 3.14]
+  end
+
+  it "translates maps to hashes" do
+    parse <<-YAML
+      foo: blah
+      bar: glah
+      baz: flah
+    YAML
+
+    result.should == {
+      "foo" => "blah",
+      "bar" => "glah",
+      "baz" => "flah"
+    }
+  end
+
+  it "applies the same transformations to values in hashes as to all values" do
+    parse <<-YAML
+      foo: :symbol
+      bar: 1
+      baz: 3.14
+    YAML
+
+    result.should == {
+      "foo" => :symbol,
+      "bar" => 1,
+      "baz" => 3.14
+    }
+  end
+
+  it "deals just fine with nested maps" do
+    parse <<-YAML
+      foo:
+        bar:
+          marco: polo
+    YAML
+
+    result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
+  end
+end

data/spec/safe_yaml_spec.rb

@@ -0,0 +1,57 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+require "safe_yaml"
+require "exploitable_back_door"
+
+describe YAML do
+  before :each do
+    ExploitableBackDoor.reset
+  end
+
+  describe "load" do
+    if RUBY_VERSION >= "1.9.3"
+      it "allows exploits through objects defined in YAML w/ !ruby/hash" do
+        YAML.load "--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n"
+        ExploitableBackDoor.should be_exploited
+      end
+    end
+
+    it "allows exploits through objects defined in YAML w/ !ruby/object" do
+      YAML.load "--- !ruby/object:ExploitableBackDoor\nfoo: bar\n"
+      ExploitableBackDoor.should be_exploited
+    end
+  end
+
+  describe "safe_load" do
+    it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do
+      YAML.safe_load "--- !ruby/object:ExploitableBackDoor\nfoo: bar\n"
+      ExploitableBackDoor.should_not be_exploited
+    end
+
+    it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do
+      YAML.safe_load "--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n"
+      ExploitableBackDoor.should_not be_exploited
+    end
+
+    it "loads a plain ol' YAML document just fine" do
+      result = YAML.safe_load <<-YAML.unindent
+        foo:
+          number: 1
+          string: Hello, there!
+          symbol: :blah
+          sequence:
+            - hi
+            - bye
+      YAML
+
+      result.should == {
+        "foo" => {
+          "number" => 1,
+          "string" => "Hello, there!",
+          "symbol" => :blah,
+          "sequence" => ["hi", "bye"]
+        }
+      }
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,7 @@
+HERE = File.dirname(__FILE__)
+ROOT = File.join(HERE, "..")
+
+$LOAD_PATH << File.join(ROOT, "lib")
+$LOAD_PATH << File.join(HERE, "support")
+
+require "heredoc_unindent"

data/spec/support/exploitable_back_door.rb

@@ -0,0 +1,23 @@
+class ExploitableBackDoor
+  @@exploited = false
+
+  def self.exploited?
+    @@exploited
+  end
+
+  def self.reset
+    @@exploited = false
+  end
+
+  def init_with(command)
+    # Note: this is how bad this COULD be.
+    # system("#{command}")
+    @@exploited = true
+  end
+
+  def []=(command, arguments)
+    # Note: this is how bad this COULD be.
+    # system("#{command} #{arguments}")
+    @@exploited = true
+  end
+end

metadata

@@ -0,0 +1,62 @@
+--- !ruby/object:Gem::Specification
+name: safe_yaml
+version: !ruby/object:Gem::Version
+  version: '0.1'
+  prerelease: 
+platform: ruby
+authors:
+- Dan Tao
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-01-17 00:00:00.000000000 Z
+dependencies: []
+description: Parse (simple) YAML safely, without that pesky arbitrary code execution
+  vulnerability.
+email:
+- daniel.tao@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- Rakefile
+- lib/handler.rb
+- lib/safe_yaml.rb
+- lib/version.rb
+- safe_yaml.gemspec
+- spec/handler_spec.rb
+- spec/safe_yaml_spec.rb
+- spec/spec_helper.rb
+- spec/support/exploitable_back_door.rb
+homepage: http://dtao.github.com/safe_yaml/
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: SameYAML adds a ::safe_load method to Ruby's built-in YAML module to parse
+  YAML data for only basic types (strings, symbols, numbers, arrays, and hashes).
+test_files:
+- spec/handler_spec.rb
+- spec/safe_yaml_spec.rb
+- spec/spec_helper.rb
+- spec/support/exploitable_back_door.rb