safe_yaml 0.5.1 → 0.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +1 -0
- data/lib/safe_yaml/transform/to_time.rb +4 -1
- data/lib/safe_yaml/version.rb +1 -1
- data/safe_yaml.gemspec +1 -1
- data/spec/safe_yaml_spec.rb +0 -4
- data/spec/shared_specs.rb +32 -38
- metadata +2 -3
- data/Gemfile.lock +0 -28
data/.gitignore
CHANGED
|
@@ -8,7 +8,10 @@ module SafeYAML
|
|
|
8
8
|
def transform?(value)
|
|
9
9
|
return false unless MATCHER.match(value)
|
|
10
10
|
datetime = DateTime.parse(value) rescue nil
|
|
11
|
-
|
|
11
|
+
if datetime.respond_to?(:to_time)
|
|
12
|
+
return true, datetime.to_time
|
|
13
|
+
end
|
|
14
|
+
false
|
|
12
15
|
end
|
|
13
16
|
end
|
|
14
17
|
end
|
data/lib/safe_yaml/version.rb
CHANGED
data/safe_yaml.gemspec
CHANGED
|
@@ -8,7 +8,7 @@ Gem::Specification.new do |gem|
|
|
|
8
8
|
gem.email = "daniel.tao@gmail.com"
|
|
9
9
|
gem.description = %q{Parse YAML safely, without that pesky arbitrary code execution vulnerability}
|
|
10
10
|
gem.summary = %q{SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.}
|
|
11
|
-
gem.homepage = "http://github.com/
|
|
11
|
+
gem.homepage = "http://dtao.github.com/safe_yaml/"
|
|
12
12
|
|
|
13
13
|
gem.files = `git ls-files`.split($\)
|
|
14
14
|
gem.test_files = gem.files.grep(%r{^spec/})
|
data/spec/safe_yaml_spec.rb
CHANGED
|
@@ -13,9 +13,7 @@ describe YAML do
|
|
|
13
13
|
backdoor = YAML.orig_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
|
|
14
14
|
backdoor.should be_exploited_through_setter
|
|
15
15
|
end
|
|
16
|
-
end
|
|
17
16
|
|
|
18
|
-
if RUBY_VERSION >= "1.9.2"
|
|
19
17
|
it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
|
|
20
18
|
backdoor = YAML.orig_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
|
|
21
19
|
backdoor.should be_exploited_through_init_with
|
|
@@ -110,9 +108,7 @@ describe YAML do
|
|
|
110
108
|
backdoor = YAML.orig_load_file "spec/exploit.1.9.3.yaml"
|
|
111
109
|
backdoor.should be_exploited_through_setter
|
|
112
110
|
end
|
|
113
|
-
end
|
|
114
111
|
|
|
115
|
-
if RUBY_VERSION >= "1.9.2"
|
|
116
112
|
it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
|
|
117
113
|
backdoor = YAML.orig_load_file "spec/exploit.1.9.2.yaml"
|
|
118
114
|
backdoor.should be_exploited_through_init_with
|
data/spec/shared_specs.rb
CHANGED
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
require File.join(File.dirname(__FILE__), "spec_helper")
|
|
2
|
-
|
|
3
1
|
module SharedSpecs
|
|
4
2
|
def self.included(base)
|
|
5
3
|
base.instance_eval do
|
|
@@ -51,11 +49,6 @@ module SharedSpecs
|
|
|
51
49
|
result.should == { "date" => Date.parse("2013-01-24") }
|
|
52
50
|
end
|
|
53
51
|
|
|
54
|
-
it "translates valid time values" do
|
|
55
|
-
parse "time: 2013-01-29 05:58:00 -0800"
|
|
56
|
-
result.should == { "time" => Time.new(2013, 1, 29, 5, 58, 0, "-08:00") }
|
|
57
|
-
end
|
|
58
|
-
|
|
59
52
|
it "translates valid true/false values to booleans" do
|
|
60
53
|
parse <<-YAML
|
|
61
54
|
- yes
|
|
@@ -108,7 +101,6 @@ module SharedSpecs
|
|
|
108
101
|
1: integer
|
|
109
102
|
3.14: float
|
|
110
103
|
2013-01-24: date
|
|
111
|
-
2013-01-29 05:58:00 -0800: time
|
|
112
104
|
YAML
|
|
113
105
|
|
|
114
106
|
result.should == {
|
|
@@ -117,7 +109,6 @@ module SharedSpecs
|
|
|
117
109
|
1 => "integer",
|
|
118
110
|
3.14 => "float",
|
|
119
111
|
Date.parse("2013-01-24") => "date",
|
|
120
|
-
Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
|
|
121
112
|
}
|
|
122
113
|
end
|
|
123
114
|
|
|
@@ -128,10 +119,34 @@ module SharedSpecs
|
|
|
128
119
|
- 1
|
|
129
120
|
- 3.14
|
|
130
121
|
- 2013-01-24
|
|
131
|
-
- 2013-01-29 05:58:00 -0800
|
|
132
122
|
YAML
|
|
133
123
|
|
|
134
|
-
result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")
|
|
124
|
+
result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")]
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
context "for Ruby version #{RUBY_VERSION}" do
|
|
129
|
+
if RUBY_VERSION >= "1.9.2"
|
|
130
|
+
it "translates valid time values" do
|
|
131
|
+
parse "time: 2013-01-29 05:58:00 -0800"
|
|
132
|
+
result.should == { "time" => Time.new(2013, 1, 29, 5, 58, 0, "-08:00") }
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
it "applies the same transformation to keys" do
|
|
136
|
+
parse "2013-01-29 05:58:00 -0800: time"
|
|
137
|
+
result.should == { Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time" }
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
it "applies the same transformation to elements in sequences" do
|
|
141
|
+
parse "- 2013-01-29 05:58:00 -0800"
|
|
142
|
+
result.should == [Time.new(2013, 1, 29, 5, 58, 0, "-08:00")]
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
else
|
|
146
|
+
it "does not deserialize times" do
|
|
147
|
+
parse "time: 2013-01-29 05:58:00 -0800"
|
|
148
|
+
result.should == { "time" => "2013-01-29 05:58:00 -0800" }
|
|
149
|
+
end
|
|
135
150
|
end
|
|
136
151
|
end
|
|
137
152
|
|
|
@@ -145,37 +160,16 @@ module SharedSpecs
|
|
|
145
160
|
result.should == { "symbol" => :value }
|
|
146
161
|
end
|
|
147
162
|
|
|
148
|
-
it "applies the same
|
|
149
|
-
parse
|
|
150
|
-
foo: string
|
|
151
|
-
:bar: symbol
|
|
152
|
-
1: integer
|
|
153
|
-
3.14: float
|
|
154
|
-
2013-01-24: date
|
|
155
|
-
2013-01-29 05:58:00 -0800: time
|
|
156
|
-
YAML
|
|
163
|
+
it "applies the same transformation to keys" do
|
|
164
|
+
parse ":bar: symbol"
|
|
157
165
|
|
|
158
|
-
result.should == {
|
|
159
|
-
"foo" => "string",
|
|
160
|
-
:bar => "symbol",
|
|
161
|
-
1 => "integer",
|
|
162
|
-
3.14 => "float",
|
|
163
|
-
Date.parse("2013-01-24") => "date",
|
|
164
|
-
Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
|
|
165
|
-
}
|
|
166
|
+
result.should == { :bar => "symbol" }
|
|
166
167
|
end
|
|
167
168
|
|
|
168
|
-
it "applies the same
|
|
169
|
-
parse
|
|
170
|
-
- foo
|
|
171
|
-
- :bar
|
|
172
|
-
- 1
|
|
173
|
-
- 3.14
|
|
174
|
-
- 2013-01-24
|
|
175
|
-
- 2013-01-29 05:58:00 -0800
|
|
176
|
-
YAML
|
|
169
|
+
it "applies the same transformation to elements in sequences" do
|
|
170
|
+
parse "- :bar"
|
|
177
171
|
|
|
178
|
-
result.should == [
|
|
172
|
+
result.should == [:bar]
|
|
179
173
|
end
|
|
180
174
|
end
|
|
181
175
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_yaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.2
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -19,7 +19,6 @@ extra_rdoc_files: []
|
|
|
19
19
|
files:
|
|
20
20
|
- .gitignore
|
|
21
21
|
- Gemfile
|
|
22
|
-
- Gemfile.lock
|
|
23
22
|
- README.md
|
|
24
23
|
- Rakefile
|
|
25
24
|
- lib/safe_yaml.rb
|
|
@@ -44,7 +43,7 @@ files:
|
|
|
44
43
|
- spec/spec_helper.rb
|
|
45
44
|
- spec/support/exploitable_back_door.rb
|
|
46
45
|
- spec/syck_resolver_spec.rb
|
|
47
|
-
homepage: http://github.com/
|
|
46
|
+
homepage: http://dtao.github.com/safe_yaml/
|
|
48
47
|
licenses: []
|
|
49
48
|
post_install_message:
|
|
50
49
|
rdoc_options: []
|
data/Gemfile.lock
DELETED
|
@@ -1,28 +0,0 @@
|
|
|
1
|
-
PATH
|
|
2
|
-
remote: .
|
|
3
|
-
specs:
|
|
4
|
-
safe_yaml (0.5.1)
|
|
5
|
-
|
|
6
|
-
GEM
|
|
7
|
-
remote: http://rubygems.org/
|
|
8
|
-
specs:
|
|
9
|
-
diff-lcs (1.1.3)
|
|
10
|
-
heredoc_unindent (1.1.2)
|
|
11
|
-
rake (10.0.3)
|
|
12
|
-
rspec (2.12.0)
|
|
13
|
-
rspec-core (~> 2.12.0)
|
|
14
|
-
rspec-expectations (~> 2.12.0)
|
|
15
|
-
rspec-mocks (~> 2.12.0)
|
|
16
|
-
rspec-core (2.12.2)
|
|
17
|
-
rspec-expectations (2.12.1)
|
|
18
|
-
diff-lcs (~> 1.1.3)
|
|
19
|
-
rspec-mocks (2.12.1)
|
|
20
|
-
|
|
21
|
-
PLATFORMS
|
|
22
|
-
ruby
|
|
23
|
-
|
|
24
|
-
DEPENDENCIES
|
|
25
|
-
heredoc_unindent
|
|
26
|
-
rake
|
|
27
|
-
rspec
|
|
28
|
-
safe_yaml!
|