safe_yaml 0.9.7 → 1.0.0rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d56ceb5aefcdb8415178936b17589f26139ec062
-  data.tar.gz: cd7b6f5d702b6680eb17116a832f0e651737d599
+  metadata.gz: 580842b6e20aa79420ad2b898f635bab6d29656c
+  data.tar.gz: 487551f91fc91dbbe0ccd00eae31ded1953a7ab3
 SHA512:
-  metadata.gz: 4c4686cc5c8a087bbebdc706862223a3d9df7e28b559d32ff6c9ea1bf8db02d273b5b8cc425f903b8ed20e31915381149e3f330b8815ef20bc6de9f428963dff
-  data.tar.gz: ded13cfdc5044e90220bc24d058a79c89c7a319cbe3b120a09ca1e73d78d6dc2d2a32b90f358c06dd2d3f9585e3836246a6df855dcd5cdcc6a4cd38bc9df6b29
+  metadata.gz: 51987bc5bf1d65dd88b90a2837bf7006ed0bb61d663c60e8f4f05cd3a2d864bdfd3feb386e47df1bbc81f495627aa739f745a1436d874d3fdeda6a1595c0eb18
+  data.tar.gz: f4d748e76546f251788d7e8b2f83b12592773b08ee95132807656bc195583b0c8b017a34468b14bdceb63540b06c78e5c789ba60439fedf992053377bf50d5d7

data/.travis.yml

@@ -29,6 +29,7 @@ matrix:
     - rvm: ruby-head
     - rvm: rbx-19mode
     - rvm: rbx-18mode
+    - rvm: jruby-head
     - rvm: ree
 
   exclude:

data/README.md

@@ -97,6 +97,15 @@ The most important option is the `:safe` option (default: `true`), which control
 
 All of the above options can be set at the global level via `SafeYAML::OPTIONS`. You can also set each one individually per call to `YAML.load`; an option explicitly passed to `load` will take precedence over an option specified globally.
 
+What if I don't *want* to patch `YAML`?
+---------------------------------------
+
+[Excellent question](https://github.com/dtao/safe_yaml/issues/47)! You can also get the methods `SafeYAML.load` and `SafeYAML.load_file` without touching the `YAML` module at all like this:
+
+    require "safe_yaml/load"
+
+This way, you can use `SafeYAML.load` to parse YAML that *you* don't trust, without affecting the rest of an application (if you're developing a library, for example).
+
 Supported Types
 ---------------
 

data/Rakefile

@@ -1,13 +1,23 @@
 require "rspec/core/rake_task"
 
 desc "Run specs"
-RSpec::Core::RakeTask.new(:spec) do |t|
-  t.rspec_opts = %w(--color)
-end
+task :spec => ['spec:app', 'spec:lib']
 
 namespace :spec do
   desc "Run only specs tagged 'solo'"
   RSpec::Core::RakeTask.new(:solo) do |t|
     t.rspec_opts = %w(--color --tag solo)
   end
+
+  desc "Run only specs tagged NOT tagged 'libraries' (for applications)"
+  RSpec::Core::RakeTask.new(:app) do |t|
+    puts "Running specs w/ monkeypatch"
+    t.rspec_opts = %w(--color --tag ~libraries)
+  end
+
+  desc "Run only specs tagged 'libraries'"
+  RSpec::Core::RakeTask.new(:lib) do |t|
+    puts "Running specs w/o monkeypatch"
+    t.rspec_opts = %w(--color --tag libraries)
+  end
 end

data/bundle_install_all_ruby_versions.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"
+
+rvm use 1.8.7
+bundle install
+
+rvm use 1.9.2
+bundle install
+
+rvm use 1.9.3
+bundle install
+
+rvm use 2.0.0
+bundle install
+
+rvm use jruby
+bundle install

data/lib/safe_yaml.rb

@@ -1,133 +1,4 @@
-require "yaml"
-
-# This needs to be defined up front in case any internal classes need to base
-# their behavior off of this.
-module SafeYAML
-  YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
-end
-
-require "set"
-require "safe_yaml/deep"
-require "safe_yaml/parse/hexadecimal"
-require "safe_yaml/parse/sexagesimal"
-require "safe_yaml/parse/date"
-require "safe_yaml/transform/transformation_map"
-require "safe_yaml/transform/to_boolean"
-require "safe_yaml/transform/to_date"
-require "safe_yaml/transform/to_float"
-require "safe_yaml/transform/to_integer"
-require "safe_yaml/transform/to_nil"
-require "safe_yaml/transform/to_symbol"
-require "safe_yaml/transform"
-require "safe_yaml/resolver"
-require "safe_yaml/syck_hack" if defined?(JRUBY_VERSION)
-
-module SafeYAML
-  MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1
-
-  DEFAULT_OPTIONS = Deep.freeze({
-    :default_mode         => nil,
-    :suppress_warnings    => false,
-    :deserialize_symbols  => false,
-    :whitelisted_tags     => [],
-    :custom_initializers  => {},
-    :raise_on_unknown_tag => false
-  })
-
-  OPTIONS = Deep.copy(DEFAULT_OPTIONS)
-
-  module_function
-  def restore_defaults!
-    OPTIONS.clear.merge!(Deep.copy(DEFAULT_OPTIONS))
-  end
-
-  def tag_safety_check!(tag, options)
-    return if tag.nil? || tag == "!"
-    if options[:raise_on_unknown_tag] && !options[:whitelisted_tags].include?(tag) && !tag_is_explicitly_trusted?(tag)
-      raise "Unknown YAML tag '#{tag}'"
-    end
-  end
-
-  def whitelist!(*classes)
-    classes.each do |klass|
-      whitelist_class!(klass)
-    end
-  end
-
-  def whitelist_class!(klass)
-    raise "#{klass} not a Class" unless klass.is_a?(::Class)
-
-    klass_name = klass.name
-    raise "#{klass} cannot be anonymous" if klass_name.nil? || klass_name.empty?
-
-    # Whitelist any built-in YAML tags supplied by Syck or Psych.
-    predefined_tag = predefined_tags[klass]
-    if predefined_tag
-      OPTIONS[:whitelisted_tags] << predefined_tag
-      return
-    end
-
-    # Exception is exceptional (har har).
-    tag_class  = klass < Exception ? "exception" : "object"
-
-    tag_prefix = case YAML_ENGINE
-                 when "psych" then "!ruby/#{tag_class}"
-                 when "syck"  then "tag:ruby.yaml.org,2002:#{tag_class}"
-                 else raise "unknown YAML_ENGINE #{YAML_ENGINE}"
-                 end
-    OPTIONS[:whitelisted_tags] << "#{tag_prefix}:#{klass_name}"
-  end
-
-  def predefined_tags
-    if @predefined_tags.nil?
-      @predefined_tags = {}
-
-      if YAML_ENGINE == "syck"
-        YAML.tagged_classes.each do |tag, klass|
-          @predefined_tags[klass] = tag
-        end
-
-      else
-        # Special tags appear to be hard-coded in Psych:
-        # https://github.com/tenderlove/psych/blob/v1.3.4/lib/psych/visitors/to_ruby.rb
-        # Fortunately, there aren't many that SafeYAML doesn't already support.
-        @predefined_tags.merge!({
-          Exception => "!ruby/exception",
-          Range     => "!ruby/range",
-          Regexp    => "!ruby/regexp",
-        })
-      end
-    end
-
-    @predefined_tags
-  end
-
-  if YAML_ENGINE == "psych"
-    def tag_is_explicitly_trusted?(tag)
-      false
-    end
-
-  else
-    TRUSTED_TAGS = Set.new([
-      "tag:yaml.org,2002:binary",
-      "tag:yaml.org,2002:bool#no",
-      "tag:yaml.org,2002:bool#yes",
-      "tag:yaml.org,2002:float",
-      "tag:yaml.org,2002:float#fix",
-      "tag:yaml.org,2002:int",
-      "tag:yaml.org,2002:map",
-      "tag:yaml.org,2002:null",
-      "tag:yaml.org,2002:seq",
-      "tag:yaml.org,2002:str",
-      "tag:yaml.org,2002:timestamp",
-      "tag:yaml.org,2002:timestamp#ymd"
-    ]).freeze
-
-    def tag_is_explicitly_trusted?(tag)
-      TRUSTED_TAGS.include?(tag)
-    end
-  end
-end
+require "safe_yaml/load"
 
 module YAML
   def self.load_with_options(yaml, *original_arguments)
@@ -154,65 +25,27 @@ module YAML
     end
   end
 
-  if SafeYAML::YAML_ENGINE == "psych"
-    require "safe_yaml/psych_handler"
-    require "safe_yaml/psych_resolver"
-    require "safe_yaml/safe_to_ruby_visitor"
-
-    def self.safe_load(yaml, filename=nil, options={})
-      return false if yaml =~ /\A\s*\Z/
-
-      # If the user hasn't whitelisted any tags, we can go with this implementation which is
-      # significantly faster.
-      if (options && options[:whitelisted_tags] || SafeYAML::OPTIONS[:whitelisted_tags]).empty?
-        safe_handler = SafeYAML::PsychHandler.new(options) do |result|
-          return result
-        end
-        arguments_for_parse = [yaml]
-        arguments_for_parse << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
-        Psych::Parser.new(safe_handler).parse(*arguments_for_parse)
-
-      else
-        safe_resolver = SafeYAML::PsychResolver.new(options)
-        tree = SafeYAML::MULTI_ARGUMENT_YAML_LOAD ?
-          Psych.parse(yaml, filename) :
-          Psych.parse(yaml)
-        return safe_resolver.resolve_node(tree)
-      end
-    end
-
-    def self.safe_load_file(filename, options={})
-      File.open(filename, 'r:bom|utf-8') { |f| self.safe_load(f, filename, options) }
-    end
-
-    def self.unsafe_load_file(filename)
-      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
-        # https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298
-        File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) }
-      else
-        # https://github.com/tenderlove/psych/blob/v1.2.2/lib/psych.rb#L231-233
-        self.unsafe_load File.open(filename)
-      end
-    end
-
-  else
-    require "safe_yaml/syck_resolver"
-    require "safe_yaml/syck_node_monkeypatch"
+  def self.safe_load(*args)
+    SafeYAML.load(*args)
+  end
 
-    def self.safe_load(yaml, options={})
-      resolver = SafeYAML::SyckResolver.new(SafeYAML::OPTIONS.merge(options || {}))
-      tree = YAML.parse(yaml)
-      return resolver.resolve_node(tree)
-    end
+  def self.safe_load_file(*args)
+    SafeYAML.load_file(*args)
+  end
 
-    def self.safe_load_file(filename, options={})
-      File.open(filename) { |f| self.safe_load(f, options) }
+  def self.unsafe_load_file(filename)
+    if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+      # https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298
+      File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) }
+    else
+      # https://github.com/tenderlove/psych/blob/v1.2.2/lib/psych.rb#L231-233
+      self.unsafe_load File.open(filename)
     end
+  end
 
-    def self.unsafe_load_file(filename)
-      # https://github.com/indeyets/syck/blob/master/ext/ruby/lib/yaml.rb#L133-135
-      File.open(filename) { |f| self.unsafe_load(f) }
-    end
+  def self.unsafe_load_file(filename)
+    # https://github.com/indeyets/syck/blob/master/ext/ruby/lib/yaml.rb#L133-135
+    File.open(filename) { |f| self.unsafe_load(f) }
   end
 
   class << self

data/lib/safe_yaml/load.rb

@@ -0,0 +1,183 @@
+require "yaml"
+
+# This needs to be defined up front in case any internal classes need to base
+# their behavior off of this.
+module SafeYAML
+  YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
+end
+
+require "set"
+require "safe_yaml/deep"
+require "safe_yaml/parse/hexadecimal"
+require "safe_yaml/parse/sexagesimal"
+require "safe_yaml/parse/date"
+require "safe_yaml/transform/transformation_map"
+require "safe_yaml/transform/to_boolean"
+require "safe_yaml/transform/to_date"
+require "safe_yaml/transform/to_float"
+require "safe_yaml/transform/to_integer"
+require "safe_yaml/transform/to_nil"
+require "safe_yaml/transform/to_symbol"
+require "safe_yaml/transform"
+require "safe_yaml/resolver"
+require "safe_yaml/syck_hack" if SafeYAML::YAML_ENGINE == "syck" && defined?(JRUBY_VERSION)
+
+module SafeYAML
+  MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1
+
+  DEFAULT_OPTIONS = Deep.freeze({
+    :default_mode         => nil,
+    :suppress_warnings    => false,
+    :deserialize_symbols  => false,
+    :whitelisted_tags     => [],
+    :custom_initializers  => {},
+    :raise_on_unknown_tag => false
+  })
+
+  OPTIONS = Deep.copy(DEFAULT_OPTIONS)
+
+  module_function
+  def restore_defaults!
+    OPTIONS.clear.merge!(Deep.copy(DEFAULT_OPTIONS))
+  end
+
+  def tag_safety_check!(tag, options)
+    return if tag.nil? || tag == "!"
+    if options[:raise_on_unknown_tag] && !options[:whitelisted_tags].include?(tag) && !tag_is_explicitly_trusted?(tag)
+      raise "Unknown YAML tag '#{tag}'"
+    end
+  end
+
+  def whitelist!(*classes)
+    classes.each do |klass|
+      whitelist_class!(klass)
+    end
+  end
+
+  def whitelist_class!(klass)
+    raise "#{klass} not a Class" unless klass.is_a?(::Class)
+
+    klass_name = klass.name
+    raise "#{klass} cannot be anonymous" if klass_name.nil? || klass_name.empty?
+
+    # Whitelist any built-in YAML tags supplied by Syck or Psych.
+    predefined_tag = predefined_tags[klass]
+    if predefined_tag
+      OPTIONS[:whitelisted_tags] << predefined_tag
+      return
+    end
+
+    # Exception is exceptional (har har).
+    tag_class  = klass < Exception ? "exception" : "object"
+
+    tag_prefix = case YAML_ENGINE
+                 when "psych" then "!ruby/#{tag_class}"
+                 when "syck"  then "tag:ruby.yaml.org,2002:#{tag_class}"
+                 else raise "unknown YAML_ENGINE #{YAML_ENGINE}"
+                 end
+    OPTIONS[:whitelisted_tags] << "#{tag_prefix}:#{klass_name}"
+  end
+
+  def predefined_tags
+    if @predefined_tags.nil?
+      @predefined_tags = {}
+
+      if YAML_ENGINE == "syck"
+        YAML.tagged_classes.each do |tag, klass|
+          @predefined_tags[klass] = tag
+        end
+
+      else
+        # Special tags appear to be hard-coded in Psych:
+        # https://github.com/tenderlove/psych/blob/v1.3.4/lib/psych/visitors/to_ruby.rb
+        # Fortunately, there aren't many that SafeYAML doesn't already support.
+        @predefined_tags.merge!({
+          Exception => "!ruby/exception",
+          Range     => "!ruby/range",
+          Regexp    => "!ruby/regexp",
+        })
+      end
+    end
+
+    @predefined_tags
+  end
+
+  if YAML_ENGINE == "psych"
+    def tag_is_explicitly_trusted?(tag)
+      false
+    end
+
+  else
+    TRUSTED_TAGS = Set.new([
+      "tag:yaml.org,2002:binary",
+      "tag:yaml.org,2002:bool#no",
+      "tag:yaml.org,2002:bool#yes",
+      "tag:yaml.org,2002:float",
+      "tag:yaml.org,2002:float#fix",
+      "tag:yaml.org,2002:int",
+      "tag:yaml.org,2002:map",
+      "tag:yaml.org,2002:null",
+      "tag:yaml.org,2002:seq",
+      "tag:yaml.org,2002:str",
+      "tag:yaml.org,2002:timestamp",
+      "tag:yaml.org,2002:timestamp#ymd"
+    ]).freeze
+
+    def tag_is_explicitly_trusted?(tag)
+      TRUSTED_TAGS.include?(tag)
+    end
+  end
+
+  if SafeYAML::YAML_ENGINE == "psych"
+    require "safe_yaml/psych_handler"
+    require "safe_yaml/psych_resolver"
+    require "safe_yaml/safe_to_ruby_visitor"
+
+    def self.load(yaml, filename=nil, options={})
+      # If the user hasn't whitelisted any tags, we can go with this implementation which is
+      # significantly faster.
+      if (options && options[:whitelisted_tags] || SafeYAML::OPTIONS[:whitelisted_tags]).empty?
+        safe_handler = SafeYAML::PsychHandler.new(options) do |result|
+          return result
+        end
+        arguments_for_parse = [yaml]
+        arguments_for_parse << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+        Psych::Parser.new(safe_handler).parse(*arguments_for_parse)
+        return safe_handler.result
+
+      else
+        safe_resolver = SafeYAML::PsychResolver.new(options)
+        tree = SafeYAML::MULTI_ARGUMENT_YAML_LOAD ?
+          Psych.parse(yaml, filename) :
+          Psych.parse(yaml)
+        return safe_resolver.resolve_node(tree)
+      end
+    end
+
+    def self.load_file(filename, options={})
+      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+        File.open(filename, 'r:bom|utf-8') { |f| self.load(f, filename, options) }
+
+      else
+        # Ruby pukes on 1.9.2 if we try to open an empty file w/ 'r:bom|utf-8';
+        # so we'll not specify those flags here. This mirrors the behavior for
+        # unsafe_load_file so it's probably preferable anyway.
+        self.load File.open(filename), nil, options
+      end
+    end
+
+  else
+    require "safe_yaml/syck_resolver"
+    require "safe_yaml/syck_node_monkeypatch"
+
+    def self.load(yaml, options={})
+      resolver = SafeYAML::SyckResolver.new(SafeYAML::OPTIONS.merge(options || {}))
+      tree = YAML.parse(yaml)
+      return resolver.resolve_node(tree)
+    end
+
+    def self.load_file(filename, options={})
+      File.open(filename) { |f| self.load(f, options) }
+    end
+  end
+end

data/lib/safe_yaml/parse/date.rb

@@ -17,10 +17,18 @@ module SafeYAML
       # reasonably -- to seconds.
       SEC_FRACTION_MULTIPLIER = RUBY_VERSION == "1.8.7" ? (SECONDS_PER_DAY * MICROSECONDS_PER_SECOND) : MICROSECONDS_PER_SECOND
 
+      # The DateTime class has a #to_time method in Ruby 1.9+;
+      # Before that we'll just need to convert DateTime to Time ourselves.
+      TO_TIME_AVAILABLE = DateTime.new.respond_to?(:to_time)
+
       def self.value(value)
         d = DateTime.parse(value)
+
+        return d.to_time if TO_TIME_AVAILABLE
+
         usec = d.sec_fraction * SEC_FRACTION_MULTIPLIER
-        Time.utc(d.year, d.month, d.day, d.hour, d.min, d.sec, usec) - (d.offset * SECONDS_PER_DAY)
+        time = Time.utc(d.year, d.month, d.day, d.hour, d.min, d.sec, usec) - (d.offset * SECONDS_PER_DAY)
+        time.getlocal
       end
     end
   end

data/lib/safe_yaml/psych_handler.rb

@@ -11,10 +11,11 @@ module SafeYAML
       @stack        = []
       @current_key  = nil
       @result       = nil
+      @begun        = false
     end
 
     def result
-      @result
+      @begun ? @result : false
     end
 
     def add_to_current_structure(value, anchor=nil, quoted=nil, tag=nil)
@@ -22,7 +23,8 @@ module SafeYAML
 
       @anchors[anchor] = value if anchor
 
-      if @result.nil?
+      if !@begun
+        @begun = true
         @result = value
         @current_structure = @result
         return

data/lib/safe_yaml/safe_to_ruby_visitor.rb

@@ -1,7 +1,19 @@
 module SafeYAML
   class SafeToRubyVisitor < Psych::Visitors::ToRuby
+    INITIALIZE_ARITY = superclass.instance_method(:initialize).arity
+
     def initialize(resolver)
-      super()
+      case INITIALIZE_ARITY
+      when 2
+        # https://github.com/tenderlove/psych/blob/v2.0.0/lib/psych/visitors/to_ruby.rb#L14-L28
+        loader  = ClassLoader.new
+        scanner = ScalarScanner.new(loader)
+        super(scanner, loader)
+
+      else
+        super()
+      end
+
       @resolver = resolver
     end
 

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.9.7"
+  VERSION = "1.0.0rc1"
 end

data/run_specs_all_ruby_versions.sh

@@ -2,20 +2,26 @@
 
 [[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"
 
-rvm use 1.8.7@safe_yaml
-rake spec
+rvm use 1.8.7
+bundle exec rake spec
 
-rvm use 1.9.2@safe_yaml
-YAMLER=syck rake spec
+rvm use 1.9.2
+YAMLER=syck bundle exec rake spec
 
-rvm use 1.9.3@safe_yaml
-YAMLER=syck rake spec
+rvm use 1.9.3
+YAMLER=syck bundle exec rake spec
 
-rvm use 1.9.2@safe_yaml
-YAMLER=psych rake spec
+rvm use 1.9.2
+YAMLER=psych bundle exec rake spec
 
-rvm use 1.9.3@safe_yaml
-YAMLER=psych rake spec
+rvm use 1.9.3
+YAMLER=psych bundle exec rake spec
 
-rvm use 2.0.0@safe_yaml
-YAMLER=psych rake spec
+rvm use 2.0.0
+YAMLER=psych bundle exec rake spec
+
+rvm use jruby
+JRUBY_OPTS=--1.8 bundle exec rake spec
+
+rvm use jruby
+JRUBY_OPTS=--1.9 bundle exec rake spec

data/spec/resolver_specs.rb

@@ -4,6 +4,11 @@ module ResolverSpecs
       let(:resolver) { nil }
       let(:result) { @result }
 
+      before :each do
+        # See the comment in the first before :each block in safe_yaml_spec.rb.
+        require "safe_yaml"
+      end
+
       def parse(yaml)
         tree = YAML.parse(yaml.unindent)
         @result = resolver.resolve_node(tree)

data/spec/safe_yaml_spec.rb

@@ -1,7 +1,5 @@
 require File.join(File.dirname(__FILE__), "spec_helper")
 
-require "exploitable_back_door"
-
 describe YAML do
   # Essentially stolen from:
   # https://github.com/rails/rails/blob/3-2-stable/activesupport/lib/active_support/core_ext/kernel/reporting.rb#L10-25
@@ -21,6 +19,12 @@ describe YAML do
   end
 
   before :each do
+    # Need to require this here (as opposed to somewhere up higher in the file)
+    # to ensure that safe_yaml isn't loaded and therefore YAML isn't monkey-
+    # patched, for tests that require only safe_yaml/load.
+    require "safe_yaml"
+    require "exploitable_back_door"
+
     SafeYAML.restore_defaults!
   end
 
@@ -257,7 +261,7 @@ describe YAML do
         "grandcustom" => { "foo" => "foo", "bar" => "custom_bar", "baz" => "custom_baz" }
       }
     end
-    
+
     it "returns false when parsing an empty document" do
       [
         YAML.safe_load(""),
@@ -507,6 +511,10 @@ describe YAML do
       object = YAML.safe_load_file "spec/exploit.1.9.2.yaml"
       object.should_not be_a(ExploitableBackDoor)
     end
+    
+    it "returns false when parsing an empty file" do
+      YAML.safe_load_file("spec/issue49.yml").should == false
+    end
   end
 
   describe "load" do

data/spec/spec_helper.rb

@@ -10,7 +10,16 @@ if ENV["YAMLER"] && defined?(YAML::ENGINE)
   puts "Running specs in Ruby #{RUBY_VERSION} with '#{YAML::ENGINE.yamler}' YAML engine."
 end
 
-require "safe_yaml"
+if defined?(JRUBY_VERSION) && ENV["JRUBY_OPTS"]
+  puts "Running JRuby in #{RUBY_VERSION} mode."
+end
+
+# Caching references to these methods before loading safe_yaml in order to test
+# that they aren't touched unless you actually require safe_yaml (see yaml_spec.rb).
+ORIGINAL_YAML_LOAD      = YAML.method(:load)
+ORIGINAL_YAML_LOAD_FILE = YAML.method(:load_file)
+
+require "safe_yaml/load"
 require "ostruct"
 require "hashie"
 require "heredoc_unindent"

data/spec/transform/to_date_spec.rb

@@ -31,4 +31,11 @@ describe SafeYAML::Transform::ToDate do
       result.should == Time.utc(2001, 12, 15, 2, 59, 43, 100000)
     end
   end
+
+  it "converts times to the local timezone" do
+    success, result = subject.transform?("2012-12-01 10:33:45 +11:00")
+    success.should be_true
+    result.should == Time.utc(2012, 11, 30, 23, 33, 45)
+    result.gmt_offset.should == Time.now.gmt_offset
+  end
 end

data/spec/yaml_spec.rb

@@ -0,0 +1,15 @@
+# See https://github.com/dtao/safe_yaml/issues/47
+
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+describe YAML do
+  context "when you've only required safe_yaml/load", :libraries => true do
+    it "YAML.load doesn't get monkey patched" do
+      YAML.method(:load).should == ORIGINAL_YAML_LOAD
+    end
+
+    it "YAML.load_file doesn't get monkey patched" do
+      YAML.method(:load_file).should == ORIGINAL_YAML_LOAD_FILE
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: 0.9.7
+  version: 1.0.0rc1
 platform: ruby
 authors:
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-17 00:00:00.000000000 Z
+date: 2013-12-10 00:00:00.000000000 Z
 dependencies: []
 description: Parse YAML safely, without that pesky arbitrary object deserialization
   vulnerability
@@ -24,8 +24,10 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- bundle_install_all_ruby_versions.sh
 - lib/safe_yaml.rb
 - lib/safe_yaml/deep.rb
+- lib/safe_yaml/load.rb
 - lib/safe_yaml/parse/date.rb
 - lib/safe_yaml/parse/hexadecimal.rb
 - lib/safe_yaml/parse/sexagesimal.rb
@@ -50,6 +52,7 @@ files:
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
 - spec/issue48.txt
+- spec/issue49.yml
 - spec/psych_resolver_spec.rb
 - spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb
@@ -61,6 +64,7 @@ files:
 - spec/transform/to_float_spec.rb
 - spec/transform/to_integer_spec.rb
 - spec/transform/to_symbol_spec.rb
+- spec/yaml_spec.rb
 homepage: http://dtao.github.com/safe_yaml/
 licenses:
 - MIT
@@ -76,9 +80,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.0.6
@@ -90,6 +94,7 @@ test_files:
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
 - spec/issue48.txt
+- spec/issue49.yml
 - spec/psych_resolver_spec.rb
 - spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb
@@ -101,3 +106,4 @@ test_files:
 - spec/transform/to_float_spec.rb
 - spec/transform/to_integer_spec.rb
 - spec/transform/to_symbol_spec.rb
+- spec/yaml_spec.rb