safe_yaml 0.1 → 1.0.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +3 -0
- data/.travis.yml +48 -0
- data/CHANGES.md +154 -0
- data/Gemfile +3 -1
- data/LICENSE.txt +22 -0
- data/README.md +191 -0
- data/Rakefile +22 -2
- data/bin/safe_yaml +75 -0
- data/bundle_install_all_ruby_versions.sh +11 -0
- data/lib/safe_yaml.rb +90 -6
- data/lib/safe_yaml/deep.rb +34 -0
- data/lib/safe_yaml/libyaml_checker.rb +36 -0
- data/lib/safe_yaml/load.rb +181 -0
- data/lib/safe_yaml/parse/date.rb +37 -0
- data/lib/safe_yaml/parse/hexadecimal.rb +12 -0
- data/lib/safe_yaml/parse/sexagesimal.rb +26 -0
- data/lib/safe_yaml/psych_handler.rb +99 -0
- data/lib/safe_yaml/psych_resolver.rb +52 -0
- data/lib/safe_yaml/resolver.rb +94 -0
- data/lib/safe_yaml/safe_to_ruby_visitor.rb +29 -0
- data/lib/safe_yaml/store.rb +39 -0
- data/lib/safe_yaml/syck_hack.rb +36 -0
- data/lib/safe_yaml/syck_node_monkeypatch.rb +43 -0
- data/lib/safe_yaml/syck_resolver.rb +38 -0
- data/lib/safe_yaml/transform.rb +41 -0
- data/lib/safe_yaml/transform/to_boolean.rb +21 -0
- data/lib/safe_yaml/transform/to_date.rb +13 -0
- data/lib/safe_yaml/transform/to_float.rb +33 -0
- data/lib/safe_yaml/transform/to_integer.rb +26 -0
- data/lib/safe_yaml/transform/to_nil.rb +18 -0
- data/lib/safe_yaml/transform/to_symbol.rb +17 -0
- data/lib/safe_yaml/transform/transformation_map.rb +47 -0
- data/lib/{version.rb → safe_yaml/version.rb} +1 -1
- data/run_specs_all_ruby_versions.sh +38 -0
- data/safe_yaml.gemspec +11 -8
- data/spec/exploit.1.9.2.yaml +2 -0
- data/spec/exploit.1.9.3.yaml +2 -0
- data/spec/issue48.txt +20 -0
- data/spec/issue49.yml +0 -0
- data/spec/libyaml_checker_spec.rb +69 -0
- data/spec/psych_resolver_spec.rb +10 -0
- data/spec/resolver_specs.rb +278 -0
- data/spec/safe_yaml_spec.rb +697 -23
- data/spec/spec_helper.rb +37 -2
- data/spec/store_spec.rb +57 -0
- data/spec/support/exploitable_back_door.rb +13 -7
- data/spec/syck_resolver_spec.rb +10 -0
- data/spec/transform/base64_spec.rb +11 -0
- data/spec/transform/to_date_spec.rb +60 -0
- data/spec/transform/to_float_spec.rb +42 -0
- data/spec/transform/to_integer_spec.rb +64 -0
- data/spec/transform/to_symbol_spec.rb +51 -0
- data/spec/yaml_spec.rb +15 -0
- metadata +78 -24
- data/Gemfile.lock +0 -28
- data/lib/handler.rb +0 -86
- data/spec/handler_spec.rb +0 -108
data/spec/spec_helper.rb
CHANGED
@@ -1,7 +1,42 @@
|
|
1
|
-
HERE = File.dirname(__FILE__)
|
2
|
-
ROOT = File.join(HERE, "..")
|
1
|
+
HERE = File.dirname(__FILE__) unless defined?(HERE)
|
2
|
+
ROOT = File.join(HERE, "..") unless defined?(ROOT)
|
3
3
|
|
4
4
|
$LOAD_PATH << File.join(ROOT, "lib")
|
5
5
|
$LOAD_PATH << File.join(HERE, "support")
|
6
6
|
|
7
|
+
require "yaml"
|
8
|
+
if ENV["YAMLER"] && defined?(YAML::ENGINE)
|
9
|
+
YAML::ENGINE.yamler = ENV["YAMLER"]
|
10
|
+
end
|
11
|
+
|
12
|
+
ruby_version = defined?(JRUBY_VERSION) ? "JRuby #{JRUBY_VERSION} in #{RUBY_VERSION} mode" : "Ruby #{RUBY_VERSION}"
|
13
|
+
yaml_engine = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
|
14
|
+
libyaml_version = yaml_engine == "psych" && Psych.const_defined?("LIBYAML_VERSION", false) ? Psych::LIBYAML_VERSION : "N/A"
|
15
|
+
|
16
|
+
env_info = [
|
17
|
+
ruby_version,
|
18
|
+
"YAML: #{yaml_engine} (#{YAML::VERSION}) (libyaml: #{libyaml_version})",
|
19
|
+
"Monkeypatch: #{ENV['MONKEYPATCH_YAML']}"
|
20
|
+
]
|
21
|
+
|
22
|
+
puts env_info.join(", ")
|
23
|
+
|
24
|
+
# Caching references to these methods before loading safe_yaml in order to test
|
25
|
+
# that they aren't touched unless you actually require safe_yaml (see yaml_spec.rb).
|
26
|
+
ORIGINAL_YAML_LOAD = YAML.method(:load)
|
27
|
+
ORIGINAL_YAML_LOAD_FILE = YAML.method(:load_file)
|
28
|
+
|
29
|
+
require "safe_yaml/load"
|
30
|
+
require "ostruct"
|
31
|
+
require "hashie"
|
7
32
|
require "heredoc_unindent"
|
33
|
+
|
34
|
+
# Stolen from Rails:
|
35
|
+
# https://github.com/rails/rails/blob/3-2-stable/activesupport/lib/active_support/core_ext/kernel/reporting.rb#L10-25
|
36
|
+
def silence_warnings
|
37
|
+
$VERBOSE = nil; yield
|
38
|
+
ensure
|
39
|
+
$VERBOSE = true
|
40
|
+
end
|
41
|
+
|
42
|
+
require File.join(HERE, "resolver_specs")
|
data/spec/store_spec.rb
ADDED
@@ -0,0 +1,57 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
require 'safe_yaml/store'
|
4
|
+
|
5
|
+
describe SafeYAML::Store do
|
6
|
+
|
7
|
+
let(:file) { 'spec/store.yaml' }
|
8
|
+
let(:content) { "--- \nfoo: 42\n:bar: \"party\"\n" }
|
9
|
+
|
10
|
+
before do
|
11
|
+
# Rewrite file on every test, as its contents are potentially modified by
|
12
|
+
# SafeYAML::Store#transaction
|
13
|
+
File.open(file, 'w') { |f| f.write(content) }
|
14
|
+
end
|
15
|
+
|
16
|
+
def expect_safe_load(options = {})
|
17
|
+
load_args = [content, options]
|
18
|
+
load_args.insert(1, nil) if SafeYAML::YAML_ENGINE == 'psych'
|
19
|
+
|
20
|
+
expect(SafeYAML).to receive(:load).with(*load_args).and_call_original
|
21
|
+
expect(YAML).not_to receive(:load)
|
22
|
+
end
|
23
|
+
|
24
|
+
let(:init_args) { [file] }
|
25
|
+
subject { described_class.new(*init_args) }
|
26
|
+
|
27
|
+
it 'should be a YAML::Store' do
|
28
|
+
expect(subject).to be_a(YAML::Store)
|
29
|
+
end
|
30
|
+
|
31
|
+
it 'should be a SafeYAML::Store' do
|
32
|
+
expect(subject).to be_a(SafeYAML::Store)
|
33
|
+
end
|
34
|
+
|
35
|
+
it 'should use SafeYAML.load instead of YAML.load' do
|
36
|
+
expect_safe_load
|
37
|
+
expect(subject.transaction { subject['foo'] }).to eq(42)
|
38
|
+
end
|
39
|
+
|
40
|
+
it 'preserves default SafeYAML behavior' do
|
41
|
+
expect(subject.transaction { subject[:bar] }).to eq(nil)
|
42
|
+
expect(subject.transaction { subject[':bar'] }).to eq('party')
|
43
|
+
end
|
44
|
+
|
45
|
+
|
46
|
+
describe 'with options' do
|
47
|
+
|
48
|
+
let(:init_args) { super().insert(2, :deserialize_symbols => true) }
|
49
|
+
|
50
|
+
it 'should accept options for SafeYAML.load' do
|
51
|
+
expect_safe_load(:deserialize_symbols => true)
|
52
|
+
expect(subject.transaction { subject[:bar] }).to eq('party')
|
53
|
+
end
|
54
|
+
|
55
|
+
end
|
56
|
+
|
57
|
+
end
|
@@ -1,23 +1,29 @@
|
|
1
1
|
class ExploitableBackDoor
|
2
|
-
|
2
|
+
def exploited?
|
3
|
+
@exploited_through_setter || @exploited_through_init_with || @exploited_through_ivars
|
4
|
+
end
|
5
|
+
|
6
|
+
def exploited_through_setter?
|
7
|
+
@exploited_through_setter
|
8
|
+
end
|
3
9
|
|
4
|
-
def
|
5
|
-
|
10
|
+
def exploited_through_init_with?
|
11
|
+
@exploited_through_init_with
|
6
12
|
end
|
7
13
|
|
8
|
-
def
|
9
|
-
|
14
|
+
def exploited_through_ivars?
|
15
|
+
self.instance_variables.any?
|
10
16
|
end
|
11
17
|
|
12
18
|
def init_with(command)
|
13
19
|
# Note: this is how bad this COULD be.
|
14
20
|
# system("#{command}")
|
15
|
-
|
21
|
+
@exploited_through_init_with = true
|
16
22
|
end
|
17
23
|
|
18
24
|
def []=(command, arguments)
|
19
25
|
# Note: this is how bad this COULD be.
|
20
26
|
# system("#{command} #{arguments}")
|
21
|
-
|
27
|
+
@exploited_through_setter = true
|
22
28
|
end
|
23
29
|
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe SafeYAML::Transform do
|
4
|
+
it "should return the same encoding when decoding Base64" do
|
5
|
+
value = "c3VyZS4="
|
6
|
+
decoded = SafeYAML::Transform.to_proper_type(value, false, "!binary")
|
7
|
+
|
8
|
+
expect(decoded).to eq("sure.")
|
9
|
+
expect(decoded.encoding).to eq(value.encoding) if decoded.respond_to?(:encoding)
|
10
|
+
end
|
11
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe SafeYAML::Transform::ToDate do
|
4
|
+
it "returns true when the value matches a valid Date" do
|
5
|
+
expect(subject.transform?("2013-01-01")).to eq([true, Date.parse("2013-01-01")])
|
6
|
+
end
|
7
|
+
|
8
|
+
it "returns false when the value does not match a valid Date" do
|
9
|
+
expect(subject.transform?("foobar")).to be_falsey
|
10
|
+
end
|
11
|
+
|
12
|
+
it "returns false when the value does not end with a Date" do
|
13
|
+
expect(subject.transform?("2013-01-01\nNOT A DATE")).to be_falsey
|
14
|
+
end
|
15
|
+
|
16
|
+
it "returns false when the value does not begin with a Date" do
|
17
|
+
expect(subject.transform?("NOT A DATE\n2013-01-01")).to be_falsey
|
18
|
+
end
|
19
|
+
|
20
|
+
it "correctly parses the remaining formats of the YAML spec" do
|
21
|
+
equivalent_values = [
|
22
|
+
"2001-12-15T02:59:43.1Z", # canonical
|
23
|
+
"2001-12-14t21:59:43.10-05:00", # iso8601
|
24
|
+
"2001-12-14 21:59:43.10 -5", # space separated
|
25
|
+
"2001-12-15 2:59:43.10" # no time zone (Z)
|
26
|
+
]
|
27
|
+
|
28
|
+
equivalent_values.each do |value|
|
29
|
+
success, result = subject.transform?(value)
|
30
|
+
expect(success).to be_truthy
|
31
|
+
expect(result).to eq(Time.utc(2001, 12, 15, 2, 59, 43, 100000))
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
it "converts times to the local timezone" do
|
36
|
+
success, result = subject.transform?("2012-12-01 10:33:45 +11:00")
|
37
|
+
expect(success).to be_truthy
|
38
|
+
expect(result).to eq(Time.utc(2012, 11, 30, 23, 33, 45))
|
39
|
+
expect(result.gmt_offset).to eq(Time.local(2012, 11, 30).gmt_offset)
|
40
|
+
end
|
41
|
+
|
42
|
+
it "returns strings for invalid dates" do
|
43
|
+
expect(subject.transform?("0000-00-00")).to eq([true, "0000-00-00"])
|
44
|
+
expect(subject.transform?("2013-13-01")).to eq([true, "2013-13-01"])
|
45
|
+
expect(subject.transform?("2014-01-32")).to eq([true, "2014-01-32"])
|
46
|
+
end
|
47
|
+
|
48
|
+
it "returns strings for invalid date/times" do
|
49
|
+
expect(subject.transform?("0000-00-00 00:00:00 -0000")).to eq([true, "0000-00-00 00:00:00 -0000"])
|
50
|
+
expect(subject.transform?("2013-13-01 21:59:43 -05:00")).to eq([true, "2013-13-01 21:59:43 -05:00"])
|
51
|
+
expect(subject.transform?("2013-01-32 21:59:43 -05:00")).to eq([true, "2013-01-32 21:59:43 -05:00"])
|
52
|
+
expect(subject.transform?("2013-01-30 25:59:43 -05:00")).to eq([true, "2013-01-30 25:59:43 -05:00"])
|
53
|
+
expect(subject.transform?("2013-01-30 21:69:43 -05:00")).to eq([true, "2013-01-30 21:69:43 -05:00"])
|
54
|
+
|
55
|
+
# Interesting. It seems that in some older Ruby versions, the below actually parses successfully
|
56
|
+
# w/ DateTime.parse; but it fails w/ YAML.load. Whom to follow???
|
57
|
+
|
58
|
+
# subject.transform?("2013-01-30 21:59:63 -05:00").should == [true, "2013-01-30 21:59:63 -05:00"]
|
59
|
+
end
|
60
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe SafeYAML::Transform::ToFloat do
|
4
|
+
it "returns true when the value matches a valid Float" do
|
5
|
+
expect(subject.transform?("20.00")).to eq([true, 20.0])
|
6
|
+
end
|
7
|
+
|
8
|
+
it "returns false when the value does not match a valid Float" do
|
9
|
+
expect(subject.transform?("foobar")).to be_falsey
|
10
|
+
end
|
11
|
+
|
12
|
+
it "returns false when the value spans multiple lines" do
|
13
|
+
expect(subject.transform?("20.00\nNOT A FLOAT")).to be_falsey
|
14
|
+
end
|
15
|
+
|
16
|
+
it "correctly parses all formats in the YAML spec" do
|
17
|
+
# canonical
|
18
|
+
expect(subject.transform?("6.8523015e+5")).to eq([true, 685230.15])
|
19
|
+
|
20
|
+
# exponentioal
|
21
|
+
expect(subject.transform?("685.230_15e+03")).to eq([true, 685230.15])
|
22
|
+
|
23
|
+
# fixed
|
24
|
+
expect(subject.transform?("685_230.15")).to eq([true, 685230.15])
|
25
|
+
|
26
|
+
# sexagesimal
|
27
|
+
expect(subject.transform?("190:20:30.15")).to eq([true, 685230.15])
|
28
|
+
|
29
|
+
# infinity
|
30
|
+
expect(subject.transform?("-.inf")).to eq([true, (-1.0 / 0.0)])
|
31
|
+
|
32
|
+
# not a number
|
33
|
+
# NOTE: can't use == here since NaN != NaN
|
34
|
+
success, result = subject.transform?(".NaN")
|
35
|
+
expect(success).to be_truthy; expect(result).to be_nan
|
36
|
+
end
|
37
|
+
|
38
|
+
# issue 29
|
39
|
+
it "returns false for the string '.'" do
|
40
|
+
expect(subject.transform?(".")).to be_falsey
|
41
|
+
end
|
42
|
+
end
|
@@ -0,0 +1,64 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe SafeYAML::Transform::ToInteger do
|
4
|
+
it "returns true when the value matches a valid Integer" do
|
5
|
+
expect(subject.transform?("10")).to eq([true, 10])
|
6
|
+
end
|
7
|
+
|
8
|
+
it "returns false when the value does not match a valid Integer" do
|
9
|
+
expect(subject.transform?("foobar")).to be_falsey
|
10
|
+
end
|
11
|
+
|
12
|
+
it "returns false when the value spans multiple lines" do
|
13
|
+
expect(subject.transform?("10\nNOT AN INTEGER")).to be_falsey
|
14
|
+
end
|
15
|
+
|
16
|
+
it "allows commas in the number" do
|
17
|
+
expect(subject.transform?("1,000")).to eq([true, 1000])
|
18
|
+
end
|
19
|
+
|
20
|
+
it "correctly parses numbers in octal format" do
|
21
|
+
expect(subject.transform?("010")).to eq([true, 8])
|
22
|
+
end
|
23
|
+
|
24
|
+
it "correctly parses numbers in hexadecimal format" do
|
25
|
+
expect(subject.transform?("0x1FF")).to eq([true, 511])
|
26
|
+
end
|
27
|
+
|
28
|
+
it "defaults to a string for a number that resembles octal format but is not" do
|
29
|
+
expect(subject.transform?("09")).to be_falsey
|
30
|
+
end
|
31
|
+
|
32
|
+
it "correctly parses 0 in decimal" do
|
33
|
+
expect(subject.transform?("0")).to eq([true, 0])
|
34
|
+
end
|
35
|
+
|
36
|
+
it "defaults to a string for a number that resembles hexadecimal format but is not" do
|
37
|
+
expect(subject.transform?("0x1G")).to be_falsey
|
38
|
+
end
|
39
|
+
|
40
|
+
it "correctly parses all formats in the YAML spec" do
|
41
|
+
# canonical
|
42
|
+
expect(subject.transform?("685230")).to eq([true, 685230])
|
43
|
+
|
44
|
+
# decimal
|
45
|
+
expect(subject.transform?("+685_230")).to eq([true, 685230])
|
46
|
+
|
47
|
+
# octal
|
48
|
+
expect(subject.transform?("02472256")).to eq([true, 685230])
|
49
|
+
|
50
|
+
# hexadecimal:
|
51
|
+
expect(subject.transform?("0x_0A_74_AE")).to eq([true, 685230])
|
52
|
+
|
53
|
+
# binary
|
54
|
+
expect(subject.transform?("0b1010_0111_0100_1010_1110")).to eq([true, 685230])
|
55
|
+
|
56
|
+
# sexagesimal
|
57
|
+
expect(subject.transform?("190:20:30")).to eq([true, 685230])
|
58
|
+
end
|
59
|
+
|
60
|
+
# see https://github.com/dtao/safe_yaml/pull/51
|
61
|
+
it "strips out underscores before parsing decimal values" do
|
62
|
+
expect(subject.transform?("_850_")).to eq([true, 850])
|
63
|
+
end
|
64
|
+
end
|
@@ -0,0 +1,51 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe SafeYAML::Transform::ToSymbol do
|
4
|
+
def with_symbol_deserialization_value(value)
|
5
|
+
symbol_deserialization_flag = SafeYAML::OPTIONS[:deserialize_symbols]
|
6
|
+
SafeYAML::OPTIONS[:deserialize_symbols] = value
|
7
|
+
|
8
|
+
yield
|
9
|
+
|
10
|
+
ensure
|
11
|
+
SafeYAML::OPTIONS[:deserialize_symbols] = symbol_deserialization_flag
|
12
|
+
end
|
13
|
+
|
14
|
+
def with_symbol_deserialization(&block)
|
15
|
+
with_symbol_deserialization_value(true, &block)
|
16
|
+
end
|
17
|
+
|
18
|
+
def without_symbol_deserialization(&block)
|
19
|
+
with_symbol_deserialization_value(false, &block)
|
20
|
+
end
|
21
|
+
|
22
|
+
it "returns true when the value matches a valid Symbol" do
|
23
|
+
with_symbol_deserialization { expect(subject.transform?(":foo")[0]).to be_truthy }
|
24
|
+
end
|
25
|
+
|
26
|
+
it "returns true when the value matches a valid String+Symbol" do
|
27
|
+
with_symbol_deserialization { expect(subject.transform?(':"foo"')[0]).to be_truthy }
|
28
|
+
end
|
29
|
+
|
30
|
+
it "returns true when the value matches a valid String+Symbol with 's" do
|
31
|
+
with_symbol_deserialization { expect(subject.transform?(":'foo'")[0]).to be_truthy }
|
32
|
+
end
|
33
|
+
|
34
|
+
it "returns true when the value has special characters and is wrapped in a String" do
|
35
|
+
with_symbol_deserialization { expect(subject.transform?(':"foo.bar"')[0]).to be_truthy }
|
36
|
+
end
|
37
|
+
|
38
|
+
it "returns false when symbol deserialization is disabled" do
|
39
|
+
without_symbol_deserialization { expect(subject.transform?(":foo")).to be_falsey }
|
40
|
+
end
|
41
|
+
|
42
|
+
it "returns false when the value does not match a valid Symbol" do
|
43
|
+
with_symbol_deserialization { expect(subject.transform?("foo")).to be_falsey }
|
44
|
+
end
|
45
|
+
|
46
|
+
it "returns false when the symbol does not begin the line" do
|
47
|
+
with_symbol_deserialization do
|
48
|
+
expect(subject.transform?("NOT A SYMBOL\n:foo")).to be_falsey
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
data/spec/yaml_spec.rb
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
# See https://github.com/dtao/safe_yaml/issues/47
|
2
|
+
|
3
|
+
require "spec_helper"
|
4
|
+
|
5
|
+
describe YAML do
|
6
|
+
context "when you've only required safe_yaml/load", :libraries => true do
|
7
|
+
it "YAML.load doesn't get monkey patched" do
|
8
|
+
expect(YAML.method(:load)).to eq(ORIGINAL_YAML_LOAD)
|
9
|
+
end
|
10
|
+
|
11
|
+
it "YAML.load_file doesn't get monkey patched" do
|
12
|
+
expect(YAML.method(:load_file)).to eq(ORIGINAL_YAML_LOAD_FILE)
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
metadata
CHANGED
@@ -1,62 +1,116 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: safe_yaml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
5
|
-
prerelease:
|
4
|
+
version: 1.0.5
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- Dan Tao
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date:
|
11
|
+
date: 2019-02-22 00:00:00.000000000 Z
|
13
12
|
dependencies: []
|
14
|
-
description: Parse
|
15
|
-
|
16
|
-
|
17
|
-
-
|
18
|
-
executables: []
|
13
|
+
description: Parse YAML safely
|
14
|
+
email: daniel.tao@gmail.com
|
15
|
+
executables:
|
16
|
+
- safe_yaml
|
19
17
|
extensions: []
|
20
18
|
extra_rdoc_files: []
|
21
19
|
files:
|
20
|
+
- .gitignore
|
21
|
+
- .travis.yml
|
22
|
+
- CHANGES.md
|
22
23
|
- Gemfile
|
23
|
-
-
|
24
|
+
- LICENSE.txt
|
25
|
+
- README.md
|
24
26
|
- Rakefile
|
25
|
-
-
|
27
|
+
- bin/safe_yaml
|
28
|
+
- bundle_install_all_ruby_versions.sh
|
26
29
|
- lib/safe_yaml.rb
|
27
|
-
- lib/
|
30
|
+
- lib/safe_yaml/deep.rb
|
31
|
+
- lib/safe_yaml/libyaml_checker.rb
|
32
|
+
- lib/safe_yaml/load.rb
|
33
|
+
- lib/safe_yaml/parse/date.rb
|
34
|
+
- lib/safe_yaml/parse/hexadecimal.rb
|
35
|
+
- lib/safe_yaml/parse/sexagesimal.rb
|
36
|
+
- lib/safe_yaml/psych_handler.rb
|
37
|
+
- lib/safe_yaml/psych_resolver.rb
|
38
|
+
- lib/safe_yaml/resolver.rb
|
39
|
+
- lib/safe_yaml/safe_to_ruby_visitor.rb
|
40
|
+
- lib/safe_yaml/store.rb
|
41
|
+
- lib/safe_yaml/syck_hack.rb
|
42
|
+
- lib/safe_yaml/syck_node_monkeypatch.rb
|
43
|
+
- lib/safe_yaml/syck_resolver.rb
|
44
|
+
- lib/safe_yaml/transform.rb
|
45
|
+
- lib/safe_yaml/transform/to_boolean.rb
|
46
|
+
- lib/safe_yaml/transform/to_date.rb
|
47
|
+
- lib/safe_yaml/transform/to_float.rb
|
48
|
+
- lib/safe_yaml/transform/to_integer.rb
|
49
|
+
- lib/safe_yaml/transform/to_nil.rb
|
50
|
+
- lib/safe_yaml/transform/to_symbol.rb
|
51
|
+
- lib/safe_yaml/transform/transformation_map.rb
|
52
|
+
- lib/safe_yaml/version.rb
|
53
|
+
- run_specs_all_ruby_versions.sh
|
28
54
|
- safe_yaml.gemspec
|
29
|
-
- spec/
|
55
|
+
- spec/exploit.1.9.2.yaml
|
56
|
+
- spec/exploit.1.9.3.yaml
|
57
|
+
- spec/issue48.txt
|
58
|
+
- spec/issue49.yml
|
59
|
+
- spec/libyaml_checker_spec.rb
|
60
|
+
- spec/psych_resolver_spec.rb
|
61
|
+
- spec/resolver_specs.rb
|
30
62
|
- spec/safe_yaml_spec.rb
|
31
63
|
- spec/spec_helper.rb
|
64
|
+
- spec/store_spec.rb
|
32
65
|
- spec/support/exploitable_back_door.rb
|
33
|
-
|
34
|
-
|
66
|
+
- spec/syck_resolver_spec.rb
|
67
|
+
- spec/transform/base64_spec.rb
|
68
|
+
- spec/transform/to_date_spec.rb
|
69
|
+
- spec/transform/to_float_spec.rb
|
70
|
+
- spec/transform/to_integer_spec.rb
|
71
|
+
- spec/transform/to_symbol_spec.rb
|
72
|
+
- spec/yaml_spec.rb
|
73
|
+
homepage: https://github.com/dtao/safe_yaml
|
74
|
+
licenses:
|
75
|
+
- MIT
|
76
|
+
metadata: {}
|
35
77
|
post_install_message:
|
36
78
|
rdoc_options: []
|
37
79
|
require_paths:
|
38
80
|
- lib
|
39
81
|
required_ruby_version: !ruby/object:Gem::Requirement
|
40
|
-
none: false
|
41
82
|
requirements:
|
42
|
-
- -
|
83
|
+
- - '>='
|
43
84
|
- !ruby/object:Gem::Version
|
44
|
-
version:
|
85
|
+
version: 1.8.7
|
45
86
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
46
|
-
none: false
|
47
87
|
requirements:
|
48
|
-
- -
|
88
|
+
- - '>='
|
49
89
|
- !ruby/object:Gem::Version
|
50
90
|
version: '0'
|
51
91
|
requirements: []
|
52
92
|
rubyforge_project:
|
53
|
-
rubygems_version:
|
93
|
+
rubygems_version: 2.6.14
|
54
94
|
signing_key:
|
55
|
-
specification_version:
|
56
|
-
summary: SameYAML
|
57
|
-
|
95
|
+
specification_version: 4
|
96
|
+
summary: SameYAML provides an alternative implementation of YAML.load suitable for
|
97
|
+
accepting user input in Ruby applications.
|
58
98
|
test_files:
|
59
|
-
- spec/
|
99
|
+
- spec/exploit.1.9.2.yaml
|
100
|
+
- spec/exploit.1.9.3.yaml
|
101
|
+
- spec/issue48.txt
|
102
|
+
- spec/issue49.yml
|
103
|
+
- spec/libyaml_checker_spec.rb
|
104
|
+
- spec/psych_resolver_spec.rb
|
105
|
+
- spec/resolver_specs.rb
|
60
106
|
- spec/safe_yaml_spec.rb
|
61
107
|
- spec/spec_helper.rb
|
108
|
+
- spec/store_spec.rb
|
62
109
|
- spec/support/exploitable_back_door.rb
|
110
|
+
- spec/syck_resolver_spec.rb
|
111
|
+
- spec/transform/base64_spec.rb
|
112
|
+
- spec/transform/to_date_spec.rb
|
113
|
+
- spec/transform/to_float_spec.rb
|
114
|
+
- spec/transform/to_integer_spec.rb
|
115
|
+
- spec/transform/to_symbol_spec.rb
|
116
|
+
- spec/yaml_spec.rb
|