safe_yaml 0.1 → 1.0.5

data/bin/safe_yaml

@@ -0,0 +1,75 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH << File.join(File.dirname(__FILE__), '..', 'lib')
+
+require 'optparse'
+require 'safe_yaml/load'
+
+options = {}
+option_parser = OptionParser.new do |opts|
+  opts.banner = "Usage: safe_yaml [options]"
+
+  opts.on("-f", "--file=<path>", "Parse the given YAML file, dump the result to STDOUT") do |file|
+    options[:file] = file
+  end
+
+  opts.on("--libyaml-check", "Check for libyaml vulnerability CVE-2014-2525 on your system") do
+    options[:libyaml_check] = true
+  end
+end
+
+option_parser.parse!
+
+def report_libyaml_ok
+  puts "\e[32mGood news! You definitely have either a patched or up-to-date libyaml version :)\e[39m"
+end
+
+def check_for_overflow_bug
+  YAML.load("--- !#{'%20' * 100}")
+  report_libyaml_ok
+end
+
+def perform_libyaml_check(force=false)
+  unless SafeYAML::LibyamlChecker.libyaml_version_ok?
+    warn <<-EOM.gsub(/^ +/, '  ')
+
+      \e[33mSafeYAML Warning\e[39m
+      \e[33m----------------\e[39m
+
+      \e[31mYou may have an outdated version of libyaml (#{SafeYAML::LibyamlChecker::LIBYAML_VERSION}) installed on your system.\e[39m
+
+      Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.
+
+      For more info, see:
+      https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
+    EOM
+  end
+
+  puts <<-EOM.gsub(/^ +/, '  ')
+
+    Hit Enter to check if your version of libyaml is vulnerable. This will run a test \e[31mwhich may crash\e[39m
+    \e[31mthe current process\e[39m. If it does, your system is vulnerable and you should do something about it.
+
+    Type "nm" and hit Enter if you don't want to run the check.
+
+    See the project wiki for more info:
+
+    https://github.com/dtao/safe_yaml/wiki/The-libyaml-vulnerability
+  EOM
+
+  if STDIN.readline.chomp("\n") != 'nm'
+    check_for_overflow_bug
+  end
+end
+
+if options[:libyaml_check]
+  perform_libyaml_check(options[:force_libyaml_check])
+
+elsif options[:file]
+  yaml = File.read(options[:file])
+  result = SafeYAML.load(yaml)
+  puts result.inspect
+
+else
+  puts option_parser.help
+end

data/bundle_install_all_ruby_versions.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"
+
+declare -a versions=("1.8.7" "1.9.2" "1.9.3" "2.0.0" "2.1.0" "2.1.1" "2.1.2" "ruby-head" "jruby")
+
+for i in "${versions[@]}"
+do
+  rvm use $i
+  bundle install
+done

data/lib/safe_yaml.rb

@@ -1,10 +1,94 @@
-require "yaml"
-require "handler"
+require "safe_yaml/load"
 
 module YAML
-  def self.safe_load(yaml)
-    safe_handler = SafeYAML::Handler.new
-    Psych::Parser.new(safe_handler).parse(yaml)
-    return safe_handler.result
+  def self.load_with_options(yaml, *original_arguments)
+    filename, options = filename_and_options_from_arguments(original_arguments)
+    safe_mode = safe_mode_from_options("load", options)
+    arguments = [yaml]
+
+    if safe_mode == :safe
+      arguments << filename if SafeYAML::YAML_ENGINE == "psych"
+      arguments << options_for_safe_load(options)
+      safe_load(*arguments)
+    else
+      arguments << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+      unsafe_load(*arguments)
+    end
+  end
+
+  def self.load_file_with_options(file, options={})
+    safe_mode = safe_mode_from_options("load_file", options)
+    if safe_mode == :safe
+      safe_load_file(file, options_for_safe_load(options))
+    else
+      unsafe_load_file(file)
+    end
+  end
+
+  def self.safe_load(*args)
+    SafeYAML.load(*args)
+  end
+
+  def self.safe_load_file(*args)
+    SafeYAML.load_file(*args)
+  end
+
+  if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+    def self.unsafe_load_file(filename)
+      # https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298
+      File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) }
+    end
+
+  else
+    def self.unsafe_load_file(filename)
+      # https://github.com/tenderlove/psych/blob/v1.2.2/lib/psych.rb#L231-233
+      self.unsafe_load File.open(filename)
+    end
+  end
+
+  class << self
+    alias_method :unsafe_load, :load
+    alias_method :load, :load_with_options
+    alias_method :load_file, :load_file_with_options
+
+    private
+    def filename_and_options_from_arguments(arguments)
+      if arguments.count == 1
+        if arguments.first.is_a?(String)
+          return arguments.first, {}
+        else
+          return nil, arguments.first || {}
+        end
+
+      else
+        return arguments.first, arguments.last || {}
+      end
+    end
+
+    def safe_mode_from_options(method, options={})
+      if options[:safe].nil?
+        safe_mode = SafeYAML::OPTIONS[:default_mode] || :safe
+
+        if SafeYAML::OPTIONS[:default_mode].nil? && !SafeYAML::OPTIONS[:suppress_warnings]
+
+          Kernel.warn <<-EOWARNING.gsub(/^\s+/, '')
+            Called '#{method}' without the :safe option -- defaulting to #{safe_mode} mode.
+            You can avoid this warning in the future by setting the SafeYAML::OPTIONS[:default_mode] option (to :safe or :unsafe).
+          EOWARNING
+
+          SafeYAML::OPTIONS[:suppress_warnings] = true
+        end
+
+        return safe_mode
+      end
+
+      options[:safe] ? :safe : :unsafe
+    end
+
+    def options_for_safe_load(base_options)
+      options = base_options.dup
+      options.delete(:safe)
+      options
+    end
   end
 end

data/lib/safe_yaml/deep.rb

@@ -0,0 +1,34 @@
+module SafeYAML
+  class Deep
+    def self.freeze(object)
+      object.each do |*entry|
+        value = entry.last
+        case value
+        when String, Regexp
+          value.freeze
+        when Enumerable
+          Deep.freeze(value)
+        end
+      end
+
+      return object.freeze
+    end
+
+    def self.copy(object)
+      duplicate = object.dup rescue object
+
+      case object
+      when Array
+        (0...duplicate.count).each do |i|
+          duplicate[i] = Deep.copy(duplicate[i])
+        end
+      when Hash
+        duplicate.keys.each do |key|
+          duplicate[key] = Deep.copy(duplicate[key])
+        end
+      end
+
+      duplicate
+    end
+  end
+end

data/lib/safe_yaml/libyaml_checker.rb

@@ -0,0 +1,36 @@
+require "set"
+
+module SafeYAML
+  class LibyamlChecker
+    LIBYAML_VERSION = Psych::LIBYAML_VERSION rescue nil
+
+    # Do proper version comparison (e.g. so 0.1.10 is >= 0.1.6)
+    SAFE_LIBYAML_VERSION = Gem::Version.new("0.1.6")
+
+    KNOWN_PATCHED_LIBYAML_VERSIONS = Set.new([
+      # http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2525.html
+      "0.1.4-2ubuntu0.12.04.3",
+      "0.1.4-2ubuntu0.12.10.3",
+      "0.1.4-2ubuntu0.13.10.3",
+      "0.1.4-3ubuntu3",
+
+      # https://security-tracker.debian.org/tracker/CVE-2014-2525
+      "0.1.3-1+deb6u4",
+      "0.1.4-2+deb7u4",
+      "0.1.4-3.2"
+    ]).freeze
+
+    def self.libyaml_version_ok?
+      return true if YAML_ENGINE != "psych" || defined?(JRUBY_VERSION)
+      return true if Gem::Version.new(LIBYAML_VERSION || "0") >= SAFE_LIBYAML_VERSION
+      return libyaml_patched?
+    end
+
+    def self.libyaml_patched?
+      return false if (`which dpkg` rescue '').empty?
+      libyaml_version = `dpkg -s libyaml-0-2`.match(/^Version: (.*)$/)
+      return false if libyaml_version.nil?
+      KNOWN_PATCHED_LIBYAML_VERSIONS.include?(libyaml_version[1])
+    end
+  end
+end

data/lib/safe_yaml/load.rb

@@ -0,0 +1,181 @@
+require "set"
+require "yaml"
+
+# This needs to be defined up front in case any internal classes need to base
+# their behavior off of this.
+module SafeYAML
+  YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : (defined?(Psych) && YAML == Psych ? "psych" : "syck")
+end
+
+require "safe_yaml/libyaml_checker"
+require "safe_yaml/deep"
+require "safe_yaml/parse/hexadecimal"
+require "safe_yaml/parse/sexagesimal"
+require "safe_yaml/parse/date"
+require "safe_yaml/transform/transformation_map"
+require "safe_yaml/transform/to_boolean"
+require "safe_yaml/transform/to_date"
+require "safe_yaml/transform/to_float"
+require "safe_yaml/transform/to_integer"
+require "safe_yaml/transform/to_nil"
+require "safe_yaml/transform/to_symbol"
+require "safe_yaml/transform"
+require "safe_yaml/resolver"
+require "safe_yaml/syck_hack" if SafeYAML::YAML_ENGINE == "syck" && defined?(JRUBY_VERSION)
+
+module SafeYAML
+  MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1
+
+  DEFAULT_OPTIONS = Deep.freeze({
+    :default_mode         => nil,
+    :suppress_warnings    => false,
+    :deserialize_symbols  => false,
+    :whitelisted_tags     => [],
+    :custom_initializers  => {},
+    :raise_on_unknown_tag => false
+  })
+
+  OPTIONS = Deep.copy(DEFAULT_OPTIONS)
+
+  PREDEFINED_TAGS = {}
+
+  if YAML_ENGINE == "syck"
+    YAML.tagged_classes.each do |tag, klass|
+      PREDEFINED_TAGS[klass] = tag
+    end
+
+  else
+    # Special tags appear to be hard-coded in Psych:
+    # https://github.com/tenderlove/psych/blob/v1.3.4/lib/psych/visitors/to_ruby.rb
+    # Fortunately, there aren't many that SafeYAML doesn't already support.
+    PREDEFINED_TAGS.merge!({
+      Exception => "!ruby/exception",
+      Range     => "!ruby/range",
+      Regexp    => "!ruby/regexp",
+    })
+  end
+
+  Deep.freeze(PREDEFINED_TAGS)
+
+  module_function
+
+  def restore_defaults!
+    OPTIONS.clear.merge!(Deep.copy(DEFAULT_OPTIONS))
+  end
+
+  def tag_safety_check!(tag, options)
+    return if tag.nil? || tag == "!"
+    if options[:raise_on_unknown_tag] && !options[:whitelisted_tags].include?(tag) && !tag_is_explicitly_trusted?(tag)
+      raise "Unknown YAML tag '#{tag}'"
+    end
+  end
+
+  def whitelist!(*classes)
+    classes.each do |klass|
+      whitelist_class!(klass)
+    end
+  end
+
+  def whitelist_class!(klass)
+    raise "#{klass} not a Class" unless klass.is_a?(::Class)
+
+    klass_name = klass.name
+    raise "#{klass} cannot be anonymous" if klass_name.nil? || klass_name.empty?
+
+    # Whitelist any built-in YAML tags supplied by Syck or Psych.
+    predefined_tag = PREDEFINED_TAGS[klass]
+    if predefined_tag
+      OPTIONS[:whitelisted_tags] << predefined_tag
+      return
+    end
+
+    # Exception is exceptional (har har).
+    tag_class  = klass < Exception ? "exception" : "object"
+
+    tag_prefix = case YAML_ENGINE
+                 when "psych" then "!ruby/#{tag_class}"
+                 when "syck"  then "tag:ruby.yaml.org,2002:#{tag_class}"
+                 else raise "unknown YAML_ENGINE #{YAML_ENGINE}"
+                 end
+    OPTIONS[:whitelisted_tags] << "#{tag_prefix}:#{klass_name}"
+  end
+
+  if YAML_ENGINE == "psych"
+    def tag_is_explicitly_trusted?(tag)
+      false
+    end
+
+  else
+    TRUSTED_TAGS = Set.new([
+      "tag:yaml.org,2002:binary",
+      "tag:yaml.org,2002:bool#no",
+      "tag:yaml.org,2002:bool#yes",
+      "tag:yaml.org,2002:float",
+      "tag:yaml.org,2002:float#fix",
+      "tag:yaml.org,2002:int",
+      "tag:yaml.org,2002:map",
+      "tag:yaml.org,2002:null",
+      "tag:yaml.org,2002:seq",
+      "tag:yaml.org,2002:str",
+      "tag:yaml.org,2002:timestamp",
+      "tag:yaml.org,2002:timestamp#ymd"
+    ]).freeze
+
+    def tag_is_explicitly_trusted?(tag)
+      TRUSTED_TAGS.include?(tag)
+    end
+  end
+
+  if SafeYAML::YAML_ENGINE == "psych"
+    require "safe_yaml/psych_handler"
+    require "safe_yaml/psych_resolver"
+    require "safe_yaml/safe_to_ruby_visitor"
+
+    def self.load(yaml, filename=nil, options={})
+      # If the user hasn't whitelisted any tags, we can go with this implementation which is
+      # significantly faster.
+      if (options && options[:whitelisted_tags] || SafeYAML::OPTIONS[:whitelisted_tags]).empty?
+        safe_handler = SafeYAML::PsychHandler.new(options) do |result|
+          return result
+        end
+        arguments_for_parse = [yaml]
+        arguments_for_parse << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+        Psych::Parser.new(safe_handler).parse(*arguments_for_parse)
+        return safe_handler.result
+
+      else
+        safe_resolver = SafeYAML::PsychResolver.new(options)
+        tree = SafeYAML::MULTI_ARGUMENT_YAML_LOAD ?
+          Psych.parse(yaml, filename) :
+          Psych.parse(yaml)
+        return safe_resolver.resolve_node(tree)
+      end
+    end
+
+    def self.load_file(filename, options={})
+      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+        File.open(filename, 'r:bom|utf-8') { |f| self.load(f, filename, options) }
+
+      else
+        # Ruby pukes on 1.9.2 if we try to open an empty file w/ 'r:bom|utf-8';
+        # so we'll not specify those flags here. This mirrors the behavior for
+        # unsafe_load_file so it's probably preferable anyway.
+        self.load File.open(filename), nil, options
+      end
+    end
+
+  else
+    require "safe_yaml/syck_resolver"
+    require "safe_yaml/syck_node_monkeypatch"
+
+    def self.load(yaml, options={})
+      resolver = SafeYAML::SyckResolver.new(SafeYAML::OPTIONS.merge(options || {}))
+      tree = YAML.parse(yaml)
+      return resolver.resolve_node(tree)
+    end
+
+    def self.load_file(filename, options={})
+      File.open(filename) { |f| self.load(f, options) }
+    end
+  end
+end

data/lib/safe_yaml/parse/date.rb

@@ -0,0 +1,37 @@
+require 'time'
+
+module SafeYAML
+  class Parse
+    class Date
+      # This one's easy enough :)
+      DATE_MATCHER = /\A(\d{4})-(\d{2})-(\d{2})\Z/.freeze
+
+      # This unbelievable little gem is taken basically straight from the YAML spec, but made
+      # slightly more readable (to my poor eyes at least) to me:
+      # http://yaml.org/type/timestamp.html
+      TIME_MATCHER = /\A\d{4}-\d{1,2}-\d{1,2}(?:[Tt]|\s+)\d{1,2}:\d{2}:\d{2}(?:\.\d*)?\s*(?:Z|[-+]\d{1,2}(?::?\d{2})?)?\Z/.freeze
+
+      SECONDS_PER_DAY = 60 * 60 * 24
+      MICROSECONDS_PER_SECOND = 1000000
+
+      # So this is weird. In Ruby 1.8.7, the DateTime#sec_fraction method returned fractional
+      # seconds in units of DAYS for some reason. In 1.9.2, they changed the units -- much more
+      # reasonably -- to seconds.
+      SEC_FRACTION_MULTIPLIER = RUBY_VERSION == "1.8.7" ? (SECONDS_PER_DAY * MICROSECONDS_PER_SECOND) : MICROSECONDS_PER_SECOND
+
+      # The DateTime class has a #to_time method in Ruby 1.9+;
+      # Before that we'll just need to convert DateTime to Time ourselves.
+      TO_TIME_AVAILABLE = DateTime.instance_methods.include?(:to_time)
+
+      def self.value(value)
+        d = DateTime.parse(value)
+
+        return d.to_time if TO_TIME_AVAILABLE
+
+        usec = d.sec_fraction * SEC_FRACTION_MULTIPLIER
+        time = Time.utc(d.year, d.month, d.day, d.hour, d.min, d.sec, usec) - (d.offset * SECONDS_PER_DAY)
+        time.getlocal
+      end
+    end
+  end
+end