safe_yaml 0.9.5 → 0.9.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +9 -4
- data/Rakefile +7 -0
- data/lib/safe_yaml.rb +3 -1
- data/lib/safe_yaml/psych_handler.rb +10 -0
- data/lib/safe_yaml/transform/to_nil.rb +1 -1
- data/lib/safe_yaml/version.rb +1 -1
- data/spec/issue48.yml +6 -0
- data/spec/safe_yaml_spec.rb +34 -5
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a0e318fdb562f8333d33d6d693e838d454a9753a
|
|
4
|
+
data.tar.gz: 4cae1fb4f5f15d42ae0762c35ae9aa543ddf3dc6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4c61eacf1e4e4f2f6d28d64e88ff7b504150e5516ea01a594d9efef2e50abeb2f9623e2c2a2f58a67ad8297aa8bcc9ddaf70c6e3d0c7de248a630d2b1873bb36
|
|
7
|
+
data.tar.gz: 8f61f556e31238feeefba576f2503b0369a3591219f2daa9fb81dae80747050f1b80cea51979c7b44cb43f168b993942c31723682d0291d3751393276fda63df
|
data/CHANGES.md
CHANGED
|
@@ -1,10 +1,15 @@
|
|
|
1
|
+
0.9.6
|
|
2
|
+
-----
|
|
3
|
+
|
|
4
|
+
- fixed handling of files with trailing content (after closing `---`)
|
|
5
|
+
|
|
1
6
|
0.9.5
|
|
2
7
|
-----
|
|
3
8
|
|
|
4
9
|
- fixed permissions AGAIN
|
|
5
10
|
|
|
6
|
-
0.9.4
|
|
7
|
-
|
|
11
|
+
0.9.4
|
|
12
|
+
-----
|
|
8
13
|
|
|
9
14
|
- corrected handling of symbols
|
|
10
15
|
|
|
@@ -13,8 +18,8 @@
|
|
|
13
18
|
|
|
14
19
|
- fixed permissions :(
|
|
15
20
|
|
|
16
|
-
0.9.2
|
|
17
|
-
|
|
21
|
+
0.9.2
|
|
22
|
+
-----
|
|
18
23
|
|
|
19
24
|
- fixed error w/ parsing "!" when whitelisting tags
|
|
20
25
|
- fixed parsing of the number 0 (d'oh!)
|
data/Rakefile
CHANGED
data/lib/safe_yaml.rb
CHANGED
|
@@ -160,6 +160,8 @@ module YAML
|
|
|
160
160
|
require "safe_yaml/safe_to_ruby_visitor"
|
|
161
161
|
|
|
162
162
|
def self.safe_load(yaml, filename=nil, options={})
|
|
163
|
+
return false if yaml =~ /\A\s*\Z/
|
|
164
|
+
|
|
163
165
|
# If the user hasn't whitelisted any tags, we can go with this implementation which is
|
|
164
166
|
# significantly faster.
|
|
165
167
|
if (options && options[:whitelisted_tags] || SafeYAML::OPTIONS[:whitelisted_tags]).empty?
|
|
@@ -167,7 +169,7 @@ module YAML
|
|
|
167
169
|
arguments_for_parse = [yaml]
|
|
168
170
|
arguments_for_parse << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
|
|
169
171
|
Psych::Parser.new(safe_handler).parse(*arguments_for_parse)
|
|
170
|
-
return safe_handler.result
|
|
172
|
+
return safe_handler.result
|
|
171
173
|
|
|
172
174
|
else
|
|
173
175
|
safe_resolver = SafeYAML::PsychResolver.new(options)
|
|
@@ -44,6 +44,16 @@ module SafeYAML
|
|
|
44
44
|
@current_key = nil
|
|
45
45
|
end
|
|
46
46
|
|
|
47
|
+
elsif @current_structure.nil?
|
|
48
|
+
# It appears that a YAML document may containing trailing text that should not be considered
|
|
49
|
+
# part of the serialized data. See issue 48:
|
|
50
|
+
#
|
|
51
|
+
# https://github.com/dtao/safe_yaml/issues/48
|
|
52
|
+
#
|
|
53
|
+
# I need to investigate this a bit further; but for now just explicitly ignoring nil should
|
|
54
|
+
# fix the issue (since in theory the only scenario where this would happen is after the
|
|
55
|
+
# serialized structure has "closed").
|
|
56
|
+
|
|
47
57
|
else
|
|
48
58
|
raise "Don't know how to add to a #{@current_structure.class}!"
|
|
49
59
|
end
|
data/lib/safe_yaml/version.rb
CHANGED
data/spec/issue48.yml
ADDED
data/spec/safe_yaml_spec.rb
CHANGED
|
@@ -115,6 +115,8 @@ describe YAML do
|
|
|
115
115
|
result = YAML.safe_load <<-YAML.unindent
|
|
116
116
|
foo:
|
|
117
117
|
number: 1
|
|
118
|
+
boolean: true
|
|
119
|
+
nil: ~
|
|
118
120
|
string: Hello, there!
|
|
119
121
|
symbol: :blah
|
|
120
122
|
sequence:
|
|
@@ -124,9 +126,11 @@ describe YAML do
|
|
|
124
126
|
|
|
125
127
|
result.should == {
|
|
126
128
|
"foo" => {
|
|
127
|
-
"number"
|
|
128
|
-
"
|
|
129
|
-
"
|
|
129
|
+
"number" => 1,
|
|
130
|
+
"boolean" => true,
|
|
131
|
+
"nil" => nil,
|
|
132
|
+
"string" => "Hello, there!",
|
|
133
|
+
"symbol" => ":blah",
|
|
130
134
|
"sequence" => ["hi", "bye"]
|
|
131
135
|
}
|
|
132
136
|
}
|
|
@@ -255,8 +259,18 @@ describe YAML do
|
|
|
255
259
|
end
|
|
256
260
|
|
|
257
261
|
it "returns false when parsing an empty document" do
|
|
258
|
-
|
|
259
|
-
|
|
262
|
+
[
|
|
263
|
+
YAML.safe_load(""),
|
|
264
|
+
YAML.safe_load(" "),
|
|
265
|
+
YAML.safe_load("\n")
|
|
266
|
+
].should == [false, false, false]
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
it "returns nil when parsing a single value representing nil" do
|
|
270
|
+
[
|
|
271
|
+
YAML.safe_load("~"),
|
|
272
|
+
YAML.safe_load("null")
|
|
273
|
+
].should == [nil, nil]
|
|
260
274
|
end
|
|
261
275
|
|
|
262
276
|
context "with custom initializers defined" do
|
|
@@ -633,6 +647,21 @@ describe YAML do
|
|
|
633
647
|
YAML.load_file(filename, :safe => true)
|
|
634
648
|
end
|
|
635
649
|
end
|
|
650
|
+
|
|
651
|
+
it "handles files starting with --- (see issue #48)" do
|
|
652
|
+
YAML.load_file("spec/issue48.yml", :safe => true).should == {
|
|
653
|
+
"title" => "Blah",
|
|
654
|
+
"key" => "value"
|
|
655
|
+
}
|
|
656
|
+
end
|
|
657
|
+
|
|
658
|
+
it "handles content starting with --- (see issue #48)" do
|
|
659
|
+
yaml = File.read("spec/issue48.yml")
|
|
660
|
+
YAML.load(yaml, :safe => true).should == {
|
|
661
|
+
"title" => "Blah",
|
|
662
|
+
"key" => "value"
|
|
663
|
+
}
|
|
664
|
+
end
|
|
636
665
|
end
|
|
637
666
|
|
|
638
667
|
describe "whitelist!" do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_yaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.
|
|
4
|
+
version: 0.9.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Tao
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2013-
|
|
11
|
+
date: 2013-09-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Parse YAML safely, without that pesky arbitrary object deserialization
|
|
14
14
|
vulnerability
|
|
@@ -49,6 +49,7 @@ files:
|
|
|
49
49
|
- safe_yaml.gemspec
|
|
50
50
|
- spec/exploit.1.9.2.yaml
|
|
51
51
|
- spec/exploit.1.9.3.yaml
|
|
52
|
+
- spec/issue48.yml
|
|
52
53
|
- spec/psych_resolver_spec.rb
|
|
53
54
|
- spec/resolver_specs.rb
|
|
54
55
|
- spec/safe_yaml_spec.rb
|
|
@@ -80,7 +81,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
80
81
|
version: '0'
|
|
81
82
|
requirements: []
|
|
82
83
|
rubyforge_project:
|
|
83
|
-
rubygems_version: 2.0.
|
|
84
|
+
rubygems_version: 2.0.0.rc.2
|
|
84
85
|
signing_key:
|
|
85
86
|
specification_version: 4
|
|
86
87
|
summary: SameYAML provides an alternative implementation of YAML.load suitable for
|
|
@@ -88,6 +89,7 @@ summary: SameYAML provides an alternative implementation of YAML.load suitable f
|
|
|
88
89
|
test_files:
|
|
89
90
|
- spec/exploit.1.9.2.yaml
|
|
90
91
|
- spec/exploit.1.9.3.yaml
|
|
92
|
+
- spec/issue48.yml
|
|
91
93
|
- spec/psych_resolver_spec.rb
|
|
92
94
|
- spec/resolver_specs.rb
|
|
93
95
|
- spec/safe_yaml_spec.rb
|