safe_yaml 1.0.0 → 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
- ---
2
- SHA1:
3
- metadata.gz: bf7e5c41614da36f8ccd36e18b855f8e29c4060e
4
- data.tar.gz: a0c48508dea39d200aea9f5fb689a6957c9ba235
5
- SHA512:
6
- metadata.gz: b67c8e20aea0cc1898e5af8ff8b5e8e98e4ae522b6d18a692b2649faea810b674967af561c027f160316977964fc235c99bd5fc2ee41930f610ad4d96c7bc7f5
7
- data.tar.gz: 6c524eb43f7878a8e01c0db24680d939531313328d62a424d49cf75776bcef66854e5c5589dd9fef5dd47633c013635c24ece5e04ab5c2d8a19f2c3ea926e6ba
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 5a072651152f97592749563e45a793b71928ed80
4
+ data.tar.gz: 0de35cc4fefc6f0f98d81c5ef1284382e47c8e3c
5
+ SHA512:
6
+ metadata.gz: 4b3b766d2e7b1d211d8645a57ab3dfefd253cebd29fb7981f792e7194fd66b61d8fc21213088b67420481d1baeb12aad35b024f0d19cf3164c2c756151b45b75
7
+ data.tar.gz: 457535a8deac214dd3e898d2f38ed654c2c854d76572644d2255ef4fa2040fdd4c1d509c9c197983e84e687dd77f6ac0bcd5686032a4067cf72161fdcd998cbf
data/README.md CHANGED
@@ -2,6 +2,7 @@ SafeYAML
2
2
  ========
3
3
 
4
4
  [![Build Status](https://travis-ci.org/dtao/safe_yaml.png)](http://travis-ci.org/dtao/safe_yaml)
5
+ [![Gem Version](https://badge.fury.io/rb/safe_yaml.png)](http://badge.fury.io/rb/safe_yaml)
5
6
 
6
7
  The **SafeYAML** gem provides an alternative implementation of `YAML.load` suitable for accepting user input in Ruby applications. Unlike Ruby's built-in implementation of `YAML.load`, SafeYAML's version will not expose apps to arbitrary code execution exploits (such as [the ones discovered](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/) [in Rails in early 2013](http://www.h-online.com/open/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html)).
7
8
 
@@ -5,6 +5,8 @@ module SafeYAML
5
5
  return true, Date.parse(value) if Parse::Date::DATE_MATCHER.match(value)
6
6
  return true, Parse::Date.value(value) if Parse::Date::TIME_MATCHER.match(value)
7
7
  false
8
+ rescue ArgumentError
9
+ return true, value
8
10
  end
9
11
  end
10
12
  end
@@ -1,3 +1,3 @@
1
1
  module SafeYAML
2
- VERSION = "1.0.0"
2
+ VERSION = "1.0.1"
3
3
  end
@@ -38,4 +38,23 @@ describe SafeYAML::Transform::ToDate do
38
38
  result.should == Time.utc(2012, 11, 30, 23, 33, 45)
39
39
  result.gmt_offset.should == Time.now.gmt_offset
40
40
  end
41
+
42
+ it "returns strings for invalid dates" do
43
+ subject.transform?("0000-00-00").should == [true, "0000-00-00"]
44
+ subject.transform?("2013-13-01").should == [true, "2013-13-01"]
45
+ subject.transform?("2014-01-32").should == [true, "2014-01-32"]
46
+ end
47
+
48
+ it "returns strings for invalid date/times" do
49
+ subject.transform?("0000-00-00 00:00:00 -0000").should == [true, "0000-00-00 00:00:00 -0000"]
50
+ subject.transform?("2013-13-01 21:59:43 -05:00").should == [true, "2013-13-01 21:59:43 -05:00"]
51
+ subject.transform?("2013-01-32 21:59:43 -05:00").should == [true, "2013-01-32 21:59:43 -05:00"]
52
+ subject.transform?("2013-01-30 25:59:43 -05:00").should == [true, "2013-01-30 25:59:43 -05:00"]
53
+ subject.transform?("2013-01-30 21:69:43 -05:00").should == [true, "2013-01-30 21:69:43 -05:00"]
54
+
55
+ # Interesting. It seems that in some older Ruby versions, the below actually parses successfully
56
+ # w/ DateTime.parse; but it fails w/ YAML.load. Whom to follow???
57
+
58
+ # subject.transform?("2013-01-30 21:59:63 -05:00").should == [true, "2013-01-30 21:59:63 -05:00"]
59
+ end
41
60
  end
metadata CHANGED
@@ -1,26 +1,21 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: safe_yaml
3
- version: !ruby/object:Gem::Version
4
- version: 1.0.0
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.1
5
5
  platform: ruby
6
- authors:
6
+ authors:
7
7
  - Dan Tao
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
-
12
- date: 2013-12-27 00:00:00 Z
11
+ date: 2014-01-10 00:00:00.000000000 Z
13
12
  dependencies: []
14
-
15
13
  description: Parse YAML safely
16
14
  email: daniel.tao@gmail.com
17
15
  executables: []
18
-
19
16
  extensions: []
20
-
21
17
  extra_rdoc_files: []
22
-
23
- files:
18
+ files:
24
19
  - .gitignore
25
20
  - .travis.yml
26
21
  - CHANGES.md
@@ -70,33 +65,31 @@ files:
70
65
  - spec/transform/to_symbol_spec.rb
71
66
  - spec/yaml_spec.rb
72
67
  homepage: https://github.com/dtao/safe_yaml
73
- licenses:
68
+ licenses:
74
69
  - MIT
75
70
  metadata: {}
76
-
77
71
  post_install_message:
78
72
  rdoc_options: []
79
-
80
- require_paths:
73
+ require_paths:
81
74
  - lib
82
- required_ruby_version: !ruby/object:Gem::Requirement
83
- requirements:
84
- - - ">="
85
- - !ruby/object:Gem::Version
75
+ required_ruby_version: !ruby/object:Gem::Requirement
76
+ requirements:
77
+ - - '>='
78
+ - !ruby/object:Gem::Version
86
79
  version: 1.8.7
87
- required_rubygems_version: !ruby/object:Gem::Requirement
88
- requirements:
89
- - - ">="
90
- - !ruby/object:Gem::Version
91
- version: "0"
80
+ required_rubygems_version: !ruby/object:Gem::Requirement
81
+ requirements:
82
+ - - '>='
83
+ - !ruby/object:Gem::Version
84
+ version: '0'
92
85
  requirements: []
93
-
94
86
  rubyforge_project:
95
87
  rubygems_version: 2.0.14
96
88
  signing_key:
97
89
  specification_version: 4
98
- summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
99
- test_files:
90
+ summary: SameYAML provides an alternative implementation of YAML.load suitable for
91
+ accepting user input in Ruby applications.
92
+ test_files:
100
93
  - spec/exploit.1.9.2.yaml
101
94
  - spec/exploit.1.9.3.yaml
102
95
  - spec/issue48.txt