safe_yaml 0.1 → 1.0.5

data/spec/spec_helper.rb

@@ -1,7 +1,42 @@
-HERE = File.dirname(__FILE__)
-ROOT = File.join(HERE, "..")
+HERE = File.dirname(__FILE__) unless defined?(HERE)
+ROOT = File.join(HERE, "..") unless defined?(ROOT)
 
 $LOAD_PATH << File.join(ROOT, "lib")
 $LOAD_PATH << File.join(HERE, "support")
 
+require "yaml"
+if ENV["YAMLER"] && defined?(YAML::ENGINE)
+  YAML::ENGINE.yamler = ENV["YAMLER"]
+end
+
+ruby_version = defined?(JRUBY_VERSION) ? "JRuby #{JRUBY_VERSION} in #{RUBY_VERSION} mode" : "Ruby #{RUBY_VERSION}"
+yaml_engine = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
+libyaml_version = yaml_engine == "psych" && Psych.const_defined?("LIBYAML_VERSION", false) ? Psych::LIBYAML_VERSION : "N/A"
+
+env_info = [
+  ruby_version,
+  "YAML: #{yaml_engine} (#{YAML::VERSION}) (libyaml: #{libyaml_version})",
+  "Monkeypatch: #{ENV['MONKEYPATCH_YAML']}"
+]
+
+puts env_info.join(", ")
+
+# Caching references to these methods before loading safe_yaml in order to test
+# that they aren't touched unless you actually require safe_yaml (see yaml_spec.rb).
+ORIGINAL_YAML_LOAD      = YAML.method(:load)
+ORIGINAL_YAML_LOAD_FILE = YAML.method(:load_file)
+
+require "safe_yaml/load"
+require "ostruct"
+require "hashie"
 require "heredoc_unindent"
+
+# Stolen from Rails:
+# https://github.com/rails/rails/blob/3-2-stable/activesupport/lib/active_support/core_ext/kernel/reporting.rb#L10-25
+def silence_warnings
+  $VERBOSE = nil; yield
+ensure
+  $VERBOSE = true
+end
+
+require File.join(HERE, "resolver_specs")

data/spec/store_spec.rb

@@ -0,0 +1,57 @@
+require 'spec_helper'
+
+require 'safe_yaml/store'
+
+describe SafeYAML::Store do
+
+  let(:file)    { 'spec/store.yaml' }
+  let(:content) { "--- \nfoo: 42\n:bar: \"party\"\n" }
+
+  before do
+    # Rewrite file on every test, as its contents are potentially modified by
+    # SafeYAML::Store#transaction
+    File.open(file, 'w') { |f| f.write(content) }
+  end
+
+  def expect_safe_load(options = {})
+    load_args = [content, options]
+    load_args.insert(1, nil) if SafeYAML::YAML_ENGINE == 'psych'
+
+    expect(SafeYAML).to receive(:load).with(*load_args).and_call_original
+    expect(YAML).not_to receive(:load)
+  end
+
+  let(:init_args) { [file] }
+  subject { described_class.new(*init_args) }
+
+  it 'should be a YAML::Store' do
+    expect(subject).to be_a(YAML::Store)
+  end
+
+  it 'should be a SafeYAML::Store' do
+    expect(subject).to be_a(SafeYAML::Store)
+  end
+
+  it 'should use SafeYAML.load instead of YAML.load' do
+    expect_safe_load
+    expect(subject.transaction { subject['foo'] }).to eq(42)
+  end
+
+  it 'preserves default SafeYAML behavior' do
+    expect(subject.transaction { subject[:bar] }).to eq(nil)
+    expect(subject.transaction { subject[':bar'] }).to eq('party')
+  end
+
+
+  describe 'with options' do
+
+    let(:init_args) { super().insert(2, :deserialize_symbols => true) }
+
+    it 'should accept options for SafeYAML.load' do
+      expect_safe_load(:deserialize_symbols => true)
+      expect(subject.transaction { subject[:bar] }).to eq('party')
+    end
+
+  end
+
+end

data/spec/support/exploitable_back_door.rb

@@ -1,23 +1,29 @@
 class ExploitableBackDoor
-  @@exploited = false
+  def exploited?
+    @exploited_through_setter || @exploited_through_init_with || @exploited_through_ivars
+  end
+
+  def exploited_through_setter?
+    @exploited_through_setter
+  end
 
-  def self.exploited?
-    @@exploited
+  def exploited_through_init_with?
+    @exploited_through_init_with
   end
 
-  def self.reset
-    @@exploited = false
+  def exploited_through_ivars?
+    self.instance_variables.any?
   end
 
   def init_with(command)
     # Note: this is how bad this COULD be.
     # system("#{command}")
-    @@exploited = true
+    @exploited_through_init_with = true
   end
 
   def []=(command, arguments)
     # Note: this is how bad this COULD be.
     # system("#{command} #{arguments}")
-    @@exploited = true
+    @exploited_through_setter = true
   end
 end

data/spec/syck_resolver_spec.rb

@@ -0,0 +1,10 @@
+require "spec_helper"
+
+if SafeYAML::YAML_ENGINE == "syck"
+  require "safe_yaml/syck_resolver"
+
+  describe SafeYAML::SyckResolver do
+    include ResolverSpecs
+    let(:resolver) { SafeYAML::SyckResolver.new }
+  end
+end

data/spec/transform/base64_spec.rb

@@ -0,0 +1,11 @@
+require "spec_helper"
+
+describe SafeYAML::Transform do
+  it "should return the same encoding when decoding Base64" do
+    value = "c3VyZS4="
+    decoded = SafeYAML::Transform.to_proper_type(value, false, "!binary")
+
+    expect(decoded).to eq("sure.")
+    expect(decoded.encoding).to eq(value.encoding) if decoded.respond_to?(:encoding)
+  end
+end

data/spec/transform/to_date_spec.rb

@@ -0,0 +1,60 @@
+require "spec_helper"
+
+describe SafeYAML::Transform::ToDate do
+  it "returns true when the value matches a valid Date" do
+    expect(subject.transform?("2013-01-01")).to eq([true, Date.parse("2013-01-01")])
+  end
+
+  it "returns false when the value does not match a valid Date" do
+    expect(subject.transform?("foobar")).to be_falsey
+  end
+
+  it "returns false when the value does not end with a Date" do
+    expect(subject.transform?("2013-01-01\nNOT A DATE")).to be_falsey
+  end
+
+  it "returns false when the value does not begin with a Date" do
+    expect(subject.transform?("NOT A DATE\n2013-01-01")).to be_falsey
+  end
+
+  it "correctly parses the remaining formats of the YAML spec" do
+    equivalent_values = [
+      "2001-12-15T02:59:43.1Z", # canonical
+      "2001-12-14t21:59:43.10-05:00", # iso8601
+      "2001-12-14 21:59:43.10 -5", # space separated
+      "2001-12-15 2:59:43.10" # no time zone (Z)
+    ]
+
+    equivalent_values.each do |value|
+      success, result = subject.transform?(value)
+      expect(success).to be_truthy
+      expect(result).to eq(Time.utc(2001, 12, 15, 2, 59, 43, 100000))
+    end
+  end
+
+  it "converts times to the local timezone" do
+    success, result = subject.transform?("2012-12-01 10:33:45 +11:00")
+    expect(success).to be_truthy
+    expect(result).to eq(Time.utc(2012, 11, 30, 23, 33, 45))
+    expect(result.gmt_offset).to eq(Time.local(2012, 11, 30).gmt_offset)
+  end
+
+  it "returns strings for invalid dates" do
+    expect(subject.transform?("0000-00-00")).to eq([true, "0000-00-00"])
+    expect(subject.transform?("2013-13-01")).to eq([true, "2013-13-01"])
+    expect(subject.transform?("2014-01-32")).to eq([true, "2014-01-32"])
+  end
+
+  it "returns strings for invalid date/times" do
+    expect(subject.transform?("0000-00-00 00:00:00 -0000")).to eq([true, "0000-00-00 00:00:00 -0000"])
+    expect(subject.transform?("2013-13-01 21:59:43 -05:00")).to eq([true, "2013-13-01 21:59:43 -05:00"])
+    expect(subject.transform?("2013-01-32 21:59:43 -05:00")).to eq([true, "2013-01-32 21:59:43 -05:00"])
+    expect(subject.transform?("2013-01-30 25:59:43 -05:00")).to eq([true, "2013-01-30 25:59:43 -05:00"])
+    expect(subject.transform?("2013-01-30 21:69:43 -05:00")).to eq([true, "2013-01-30 21:69:43 -05:00"])
+
+    # Interesting. It seems that in some older Ruby versions, the below actually parses successfully
+    # w/ DateTime.parse; but it fails w/ YAML.load. Whom to follow???
+
+    # subject.transform?("2013-01-30 21:59:63 -05:00").should == [true, "2013-01-30 21:59:63 -05:00"]
+  end
+end

data/spec/transform/to_float_spec.rb

@@ -0,0 +1,42 @@
+require "spec_helper"
+
+describe SafeYAML::Transform::ToFloat do
+  it "returns true when the value matches a valid Float" do
+    expect(subject.transform?("20.00")).to eq([true, 20.0])
+  end
+
+  it "returns false when the value does not match a valid Float" do
+    expect(subject.transform?("foobar")).to be_falsey
+  end
+
+  it "returns false when the value spans multiple lines" do
+    expect(subject.transform?("20.00\nNOT A FLOAT")).to be_falsey
+  end
+
+  it "correctly parses all formats in the YAML spec" do
+    # canonical
+    expect(subject.transform?("6.8523015e+5")).to eq([true, 685230.15])
+
+    # exponentioal
+    expect(subject.transform?("685.230_15e+03")).to eq([true, 685230.15])
+
+    # fixed
+    expect(subject.transform?("685_230.15")).to eq([true, 685230.15])
+
+    # sexagesimal
+    expect(subject.transform?("190:20:30.15")).to eq([true, 685230.15])
+
+    # infinity
+    expect(subject.transform?("-.inf")).to eq([true, (-1.0 / 0.0)])
+
+    # not a number
+    # NOTE: can't use == here since NaN != NaN
+    success, result = subject.transform?(".NaN")
+    expect(success).to be_truthy; expect(result).to be_nan
+  end
+
+  # issue 29
+  it "returns false for the string '.'" do
+    expect(subject.transform?(".")).to be_falsey
+  end
+end

data/spec/transform/to_integer_spec.rb

@@ -0,0 +1,64 @@
+require "spec_helper"
+
+describe SafeYAML::Transform::ToInteger do
+  it "returns true when the value matches a valid Integer" do
+    expect(subject.transform?("10")).to eq([true, 10])
+  end
+
+  it "returns false when the value does not match a valid Integer" do
+    expect(subject.transform?("foobar")).to be_falsey
+  end
+
+  it "returns false when the value spans multiple lines" do
+    expect(subject.transform?("10\nNOT AN INTEGER")).to be_falsey
+  end
+
+  it "allows commas in the number" do
+    expect(subject.transform?("1,000")).to eq([true, 1000])
+  end
+
+  it "correctly parses numbers in octal format" do
+    expect(subject.transform?("010")).to eq([true, 8])
+  end
+
+  it "correctly parses numbers in hexadecimal format" do
+    expect(subject.transform?("0x1FF")).to eq([true, 511])
+  end
+
+  it "defaults to a string for a number that resembles octal format but is not" do
+    expect(subject.transform?("09")).to be_falsey
+  end
+
+  it "correctly parses 0 in decimal" do
+    expect(subject.transform?("0")).to eq([true, 0])
+  end
+
+  it "defaults to a string for a number that resembles hexadecimal format but is not" do
+    expect(subject.transform?("0x1G")).to be_falsey
+  end
+
+  it "correctly parses all formats in the YAML spec" do
+    # canonical
+    expect(subject.transform?("685230")).to eq([true, 685230])
+
+    # decimal
+    expect(subject.transform?("+685_230")).to eq([true, 685230])
+
+    # octal
+    expect(subject.transform?("02472256")).to eq([true, 685230])
+
+    # hexadecimal:
+    expect(subject.transform?("0x_0A_74_AE")).to eq([true, 685230])
+
+    # binary
+    expect(subject.transform?("0b1010_0111_0100_1010_1110")).to eq([true, 685230])
+
+    # sexagesimal
+    expect(subject.transform?("190:20:30")).to eq([true, 685230])
+  end
+
+  # see https://github.com/dtao/safe_yaml/pull/51
+  it "strips out underscores before parsing decimal values" do
+    expect(subject.transform?("_850_")).to eq([true, 850])
+  end
+end

data/spec/transform/to_symbol_spec.rb

@@ -0,0 +1,51 @@
+require "spec_helper"
+
+describe SafeYAML::Transform::ToSymbol do
+  def with_symbol_deserialization_value(value)
+    symbol_deserialization_flag = SafeYAML::OPTIONS[:deserialize_symbols]
+    SafeYAML::OPTIONS[:deserialize_symbols] = value
+
+    yield
+
+  ensure
+    SafeYAML::OPTIONS[:deserialize_symbols] = symbol_deserialization_flag
+  end
+
+  def with_symbol_deserialization(&block)
+    with_symbol_deserialization_value(true, &block)
+  end
+
+  def without_symbol_deserialization(&block)
+    with_symbol_deserialization_value(false, &block)
+  end
+
+  it "returns true when the value matches a valid Symbol" do
+    with_symbol_deserialization { expect(subject.transform?(":foo")[0]).to be_truthy }
+  end
+
+  it "returns true when the value matches a valid String+Symbol" do
+    with_symbol_deserialization { expect(subject.transform?(':"foo"')[0]).to be_truthy }
+  end
+
+  it "returns true when the value matches a valid String+Symbol with 's" do
+    with_symbol_deserialization { expect(subject.transform?(":'foo'")[0]).to be_truthy }
+  end
+
+  it "returns true when the value has special characters and is wrapped in a String" do
+    with_symbol_deserialization { expect(subject.transform?(':"foo.bar"')[0]).to be_truthy }
+  end
+
+  it "returns false when symbol deserialization is disabled" do
+    without_symbol_deserialization { expect(subject.transform?(":foo")).to be_falsey }
+  end
+
+  it "returns false when the value does not match a valid Symbol" do
+    with_symbol_deserialization { expect(subject.transform?("foo")).to be_falsey }
+  end
+
+  it "returns false when the symbol does not begin the line" do
+    with_symbol_deserialization do
+      expect(subject.transform?("NOT A SYMBOL\n:foo")).to be_falsey
+    end
+  end
+end

data/spec/yaml_spec.rb

@@ -0,0 +1,15 @@
+# See https://github.com/dtao/safe_yaml/issues/47
+
+require "spec_helper"
+
+describe YAML do
+  context "when you've only required safe_yaml/load", :libraries => true do
+    it "YAML.load doesn't get monkey patched" do
+      expect(YAML.method(:load)).to eq(ORIGINAL_YAML_LOAD)
+    end
+
+    it "YAML.load_file doesn't get monkey patched" do
+      expect(YAML.method(:load_file)).to eq(ORIGINAL_YAML_LOAD_FILE)
+    end
+  end
+end

metadata

@@ -1,62 +1,116 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: '0.1'
-  prerelease: 
+  version: 1.0.5
 platform: ruby
 authors:
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-17 00:00:00.000000000 Z
+date: 2019-02-22 00:00:00.000000000 Z
 dependencies: []
-description: Parse (simple) YAML safely, without that pesky arbitrary code execution
-  vulnerability.
-email:
-- daniel.tao@gmail.com
-executables: []
+description: Parse YAML safely
+email: daniel.tao@gmail.com
+executables:
+- safe_yaml
 extensions: []
 extra_rdoc_files: []
 files:
+- .gitignore
+- .travis.yml
+- CHANGES.md
 - Gemfile
-- Gemfile.lock
+- LICENSE.txt
+- README.md
 - Rakefile
-- lib/handler.rb
+- bin/safe_yaml
+- bundle_install_all_ruby_versions.sh
 - lib/safe_yaml.rb
-- lib/version.rb
+- lib/safe_yaml/deep.rb
+- lib/safe_yaml/libyaml_checker.rb
+- lib/safe_yaml/load.rb
+- lib/safe_yaml/parse/date.rb
+- lib/safe_yaml/parse/hexadecimal.rb
+- lib/safe_yaml/parse/sexagesimal.rb
+- lib/safe_yaml/psych_handler.rb
+- lib/safe_yaml/psych_resolver.rb
+- lib/safe_yaml/resolver.rb
+- lib/safe_yaml/safe_to_ruby_visitor.rb
+- lib/safe_yaml/store.rb
+- lib/safe_yaml/syck_hack.rb
+- lib/safe_yaml/syck_node_monkeypatch.rb
+- lib/safe_yaml/syck_resolver.rb
+- lib/safe_yaml/transform.rb
+- lib/safe_yaml/transform/to_boolean.rb
+- lib/safe_yaml/transform/to_date.rb
+- lib/safe_yaml/transform/to_float.rb
+- lib/safe_yaml/transform/to_integer.rb
+- lib/safe_yaml/transform/to_nil.rb
+- lib/safe_yaml/transform/to_symbol.rb
+- lib/safe_yaml/transform/transformation_map.rb
+- lib/safe_yaml/version.rb
+- run_specs_all_ruby_versions.sh
 - safe_yaml.gemspec
-- spec/handler_spec.rb
+- spec/exploit.1.9.2.yaml
+- spec/exploit.1.9.3.yaml
+- spec/issue48.txt
+- spec/issue49.yml
+- spec/libyaml_checker_spec.rb
+- spec/psych_resolver_spec.rb
+- spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb
 - spec/spec_helper.rb
+- spec/store_spec.rb
 - spec/support/exploitable_back_door.rb
-homepage: http://dtao.github.com/safe_yaml/
-licenses: []
+- spec/syck_resolver_spec.rb
+- spec/transform/base64_spec.rb
+- spec/transform/to_date_spec.rb
+- spec/transform/to_float_spec.rb
+- spec/transform/to_integer_spec.rb
+- spec/transform/to_symbol_spec.rb
+- spec/yaml_spec.rb
+homepage: https://github.com/dtao/safe_yaml
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 2.6.14
 signing_key: 
-specification_version: 3
-summary: SameYAML adds a ::safe_load method to Ruby's built-in YAML module to parse
-  YAML data for only basic types (strings, symbols, numbers, arrays, and hashes).
+specification_version: 4
+summary: SameYAML provides an alternative implementation of YAML.load suitable for
+  accepting user input in Ruby applications.
 test_files:
-- spec/handler_spec.rb
+- spec/exploit.1.9.2.yaml
+- spec/exploit.1.9.3.yaml
+- spec/issue48.txt
+- spec/issue49.yml
+- spec/libyaml_checker_spec.rb
+- spec/psych_resolver_spec.rb
+- spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb
 - spec/spec_helper.rb
+- spec/store_spec.rb
 - spec/support/exploitable_back_door.rb
+- spec/syck_resolver_spec.rb
+- spec/transform/base64_spec.rb
+- spec/transform/to_date_spec.rb
+- spec/transform/to_float_spec.rb
+- spec/transform/to_integer_spec.rb
+- spec/transform/to_symbol_spec.rb
+- spec/yaml_spec.rb