safe_yaml 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5a072651152f97592749563e45a793b71928ed80
-  data.tar.gz: 0de35cc4fefc6f0f98d81c5ef1284382e47c8e3c
+  metadata.gz: 6cf9f3e405ec65c54f30eaec331423a67877dc34
+  data.tar.gz: 0cf7116a88485be0057ff010ab330569391a9e2e
 SHA512:
-  metadata.gz: 4b3b766d2e7b1d211d8645a57ab3dfefd253cebd29fb7981f792e7194fd66b61d8fc21213088b67420481d1baeb12aad35b024f0d19cf3164c2c756151b45b75
-  data.tar.gz: 457535a8deac214dd3e898d2f38ed654c2c854d76572644d2255ef4fa2040fdd4c1d509c9c197983e84e687dd77f6ac0bcd5686032a4067cf72161fdcd998cbf
+  metadata.gz: 63cb08bcc97ac6e4bf25e1da93f047f0edf1726ea404864e7e47fc920dd3c8f8df988b7e532efbb31ef6d611c24cf43577978eee12817e273e8ea254b2f55203
+  data.tar.gz: 89be3d3d4be1c8f9dc54f7d41842a443b6d8fe71586c7d79a3002fc87a71db83809d59679f431221877fdd2fc8da3a0e88ed7b79a534b1d0cc75d2218c12f4c6

data/.gitignore

@@ -1,2 +1 @@
 Gemfile.lock
-dist/

data/CHANGES.md

@@ -1,3 +1,22 @@
+1.0.2
+-----
+
+- added warning when using Psych + an older version of libyaml
+
+1.0.1
+-----
+
+- fixed handling for strings that look like (invalid) dates
+
+1.0.0
+-----
+
+- updated date parsing to use local timezone
+- **now requiring "safe_yaml/load" provides `SafeYAML.load` without clobbering `YAML`**
+- fixed handling of empty files
+- fixed some (edge case) integer parsing bugs
+- fixed some JRuby-specific issues
+
 0.9.7
 -----
 

data/lib/safe_yaml.rb

@@ -33,21 +33,19 @@ module YAML
     SafeYAML.load_file(*args)
   end
 
-  def self.unsafe_load_file(filename)
-    if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+  if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+    def self.unsafe_load_file(filename)
       # https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298
       File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) }
-    else
+    end
+
+  else
+    def self.unsafe_load_file(filename)
       # https://github.com/tenderlove/psych/blob/v1.2.2/lib/psych.rb#L231-233
       self.unsafe_load File.open(filename)
     end
   end
 
-  def self.unsafe_load_file(filename)
-    # https://github.com/indeyets/syck/blob/master/ext/ruby/lib/yaml.rb#L133-135
-    File.open(filename) { |f| self.unsafe_load(f) }
-  end
-
   class << self
     alias_method :unsafe_load, :load
     alias_method :load, :load_with_options

data/lib/safe_yaml/load.rb

@@ -4,8 +4,34 @@ require "yaml"
 # their behavior off of this.
 module SafeYAML
   YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
+  LIBYAML_VERSION = YAML_ENGINE == "psych" && Psych.const_defined?("LIBYAML_VERSION", false) ? Psych::LIBYAML_VERSION : nil
+
+  def self.check_libyaml_version
+    if YAML_ENGINE == "psych" && (LIBYAML_VERSION.nil? || LIBYAML_VERSION < "0.1.6")
+      Kernel.warn <<-EOWARNING.gsub(/^ +/, '  ')
+
+        \e[33mSafeYAML Warning\e[39m
+        \e[33m----------------\e[39m
+
+        \e[31mYou appear to have an outdated version of libyaml (#{LIBYAML_VERSION}) installed on your system.\e[39m
+
+        Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.
+
+        For more info, see:
+        https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
+
+        The easiest thing to do right now is probably to update Psych to the latest version and enable
+        the 'bundled-libyaml' option, which will install a vendored libyaml with the vulnerability patched:
+
+        \e[32mgem install psych -- --enable-bundled-libyaml\e[39m
+
+      EOWARNING
+    end
+  end
 end
 
+SafeYAML.check_libyaml_version
+
 require "set"
 require "safe_yaml/deep"
 require "safe_yaml/parse/hexadecimal"
@@ -36,7 +62,28 @@ module SafeYAML
 
   OPTIONS = Deep.copy(DEFAULT_OPTIONS)
 
+  PREDEFINED_TAGS = {}
+
+  if YAML_ENGINE == "syck"
+    YAML.tagged_classes.each do |tag, klass|
+      PREDEFINED_TAGS[klass] = tag
+    end
+
+  else
+    # Special tags appear to be hard-coded in Psych:
+    # https://github.com/tenderlove/psych/blob/v1.3.4/lib/psych/visitors/to_ruby.rb
+    # Fortunately, there aren't many that SafeYAML doesn't already support.
+    PREDEFINED_TAGS.merge!({
+      Exception => "!ruby/exception",
+      Range     => "!ruby/range",
+      Regexp    => "!ruby/regexp",
+    })
+  end
+
+  Deep.freeze(PREDEFINED_TAGS)
+
   module_function
+
   def restore_defaults!
     OPTIONS.clear.merge!(Deep.copy(DEFAULT_OPTIONS))
   end
@@ -61,7 +108,7 @@ module SafeYAML
     raise "#{klass} cannot be anonymous" if klass_name.nil? || klass_name.empty?
 
     # Whitelist any built-in YAML tags supplied by Syck or Psych.
-    predefined_tag = predefined_tags[klass]
+    predefined_tag = PREDEFINED_TAGS[klass]
     if predefined_tag
       OPTIONS[:whitelisted_tags] << predefined_tag
       return
@@ -78,30 +125,6 @@ module SafeYAML
     OPTIONS[:whitelisted_tags] << "#{tag_prefix}:#{klass_name}"
   end
 
-  def predefined_tags
-    if @predefined_tags.nil?
-      @predefined_tags = {}
-
-      if YAML_ENGINE == "syck"
-        YAML.tagged_classes.each do |tag, klass|
-          @predefined_tags[klass] = tag
-        end
-
-      else
-        # Special tags appear to be hard-coded in Psych:
-        # https://github.com/tenderlove/psych/blob/v1.3.4/lib/psych/visitors/to_ruby.rb
-        # Fortunately, there aren't many that SafeYAML doesn't already support.
-        @predefined_tags.merge!({
-          Exception => "!ruby/exception",
-          Range     => "!ruby/range",
-          Regexp    => "!ruby/regexp",
-        })
-      end
-    end
-
-    @predefined_tags
-  end
-
   if YAML_ENGINE == "psych"
     def tag_is_explicitly_trusted?(tag)
       false

data/lib/safe_yaml/parse/date.rb

@@ -19,7 +19,7 @@ module SafeYAML
 
       # The DateTime class has a #to_time method in Ruby 1.9+;
       # Before that we'll just need to convert DateTime to Time ourselves.
-      TO_TIME_AVAILABLE = DateTime.new.respond_to?(:to_time)
+      TO_TIME_AVAILABLE = DateTime.instance_methods.include?(:to_time)
 
       def self.value(value)
         d = DateTime.parse(value)

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "1.0.1"
+  VERSION = "1.0.2"
 end

data/spec/psych_resolver_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "spec_helper")
+require "spec_helper"
 
 if SafeYAML::YAML_ENGINE == "psych"
   require "safe_yaml/psych_resolver"

data/spec/resolver_specs.rb

@@ -16,8 +16,31 @@ module ResolverSpecs
 
       # Isn't this how I should've been doing it all along?
       def parse_and_test(yaml)
-        parse(yaml)
-        @result.should == YAML.unsafe_load(yaml)
+        safe_result = parse(yaml)
+
+        exception_thrown = nil
+
+        unsafe_result = begin
+          YAML.unsafe_load(yaml)
+        rescue Exception => e
+          exception_thrown = e
+        end
+
+        if exception_thrown
+          # If the underlying YAML parser (e.g. Psych) threw an exception, I'm
+          # honestly not sure what the right thing to do is. For now I'll just
+          # print a warning. Should SafeYAML fail when Psych fails?
+          Kernel.warn "\n"
+          Kernel.warn "Discrepancy between SafeYAML and #{SafeYAML::YAML_ENGINE} on input:\n"
+          Kernel.warn "#{yaml.unindent}\n"
+          Kernel.warn "SafeYAML result:"
+          Kernel.warn "#{safe_result.inspect}\n"
+          Kernel.warn "#{SafeYAML::YAML_ENGINE} result:"
+          Kernel.warn "#{exception_thrown.inspect}\n"
+
+        else
+          safe_result.should == unsafe_result
+        end
       end
 
       context "by default" do

data/spec/safe_yaml_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "spec_helper")
+require "spec_helper"
 
 describe YAML do
   # Essentially stolen from:
@@ -32,6 +32,47 @@ describe YAML do
     SafeYAML.restore_defaults!
   end
 
+  describe "check_libyaml_version" do
+    REAL_YAML_ENGINE = SafeYAML::YAML_ENGINE
+    REAL_LIBYAML_VERSION = SafeYAML::LIBYAML_VERSION
+
+    after :each do
+      silence_warnings do
+        SafeYAML::YAML_ENGINE = REAL_YAML_ENGINE
+        SafeYAML::LIBYAML_VERSION = REAL_LIBYAML_VERSION
+      end
+    end
+
+    def test_check_libyaml_version(warning_expected, yaml_engine, libyaml_version=nil)
+      silence_warnings do
+        SafeYAML.const_set("YAML_ENGINE", yaml_engine)
+        SafeYAML.const_set("LIBYAML_VERSION", libyaml_version)
+        Kernel.send(warning_expected ? :should_receive : :should_not_receive, :warn)
+        SafeYAML.check_libyaml_version
+      end
+    end
+
+    it "issues no warnings when 'Syck' is the YAML engine" do
+      test_check_libyaml_version(false, "syck")
+    end
+
+    it "issues a warning if Psych::LIBYAML_VERSION is not defined" do
+      test_check_libyaml_version(true, "psych")
+    end
+
+    it "issues a warning if Psych::LIBYAML_VERSION is < 0.1.6" do
+      test_check_libyaml_version(true, "psych", "0.1.5")
+    end
+
+    it "issues no warning if Psych::LIBYAML_VERSION is == 0.1.6" do
+      test_check_libyaml_version(false, "psych", "0.1.6")
+    end
+
+    it "issues no warning if Psych::LIBYAML_VERSION is > 0.1.6" do
+      test_check_libyaml_version(false, "psych", "1.0.0")
+    end
+  end
+
   describe "unsafe_load" do
     if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3"
       it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do

data/spec/spec_helper.rb

@@ -7,12 +7,19 @@ $LOAD_PATH << File.join(HERE, "support")
 require "yaml"
 if ENV["YAMLER"] && defined?(YAML::ENGINE)
   YAML::ENGINE.yamler = ENV["YAMLER"]
-  puts "Running specs in Ruby #{RUBY_VERSION} with '#{YAML::ENGINE.yamler}' YAML engine."
 end
 
-if defined?(JRUBY_VERSION) && ENV["JRUBY_OPTS"]
-  puts "Running JRuby in #{RUBY_VERSION} mode."
-end
+ruby_version = defined?(JRUBY_VERSION) ? "JRuby #{JRUBY_VERSION} in #{RUBY_VERSION} mode" : "Ruby #{RUBY_VERSION}"
+yaml_engine = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
+libyaml_version = yaml_engine == "psych" && Psych.const_defined?("LIBYAML_VERSION", false) ? Psych::LIBYAML_VERSION : "N/A"
+
+puts <<-EOM
+
+  Running #{ruby_version} with '#{yaml_engine}' YAML engine.
+  YAML engine version: #{YAML::VERSION}
+  libyaml version: #{libyaml_version}
+
+EOM
 
 # Caching references to these methods before loading safe_yaml in order to test
 # that they aren't touched unless you actually require safe_yaml (see yaml_spec.rb).

data/spec/syck_resolver_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "spec_helper")
+require "spec_helper"
 
 if SafeYAML::YAML_ENGINE == "syck"
   require "safe_yaml/syck_resolver"

data/spec/transform/base64_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "..", "spec_helper")
+require "spec_helper"
 
 describe SafeYAML::Transform do
   it "should return the same encoding when decoding Base64" do

data/spec/transform/to_date_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "..", "spec_helper")
+require "spec_helper"
 
 describe SafeYAML::Transform::ToDate do
   it "returns true when the value matches a valid Date" do
@@ -36,7 +36,7 @@ describe SafeYAML::Transform::ToDate do
     success, result = subject.transform?("2012-12-01 10:33:45 +11:00")
     success.should be_true
     result.should == Time.utc(2012, 11, 30, 23, 33, 45)
-    result.gmt_offset.should == Time.now.gmt_offset
+    result.gmt_offset.should == Time.local(2012, 11, 30).gmt_offset
   end
 
   it "returns strings for invalid dates" do

data/spec/transform/to_float_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "..", "spec_helper")
+require "spec_helper"
 
 describe SafeYAML::Transform::ToFloat do
   it "returns true when the value matches a valid Float" do

data/spec/transform/to_integer_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "..", "spec_helper")
+require "spec_helper"
 
 describe SafeYAML::Transform::ToInteger do
   it "returns true when the value matches a valid Integer" do

data/spec/transform/to_symbol_spec.rb

@@ -1,4 +1,4 @@
-require File.join(File.dirname(__FILE__), "..", "spec_helper")
+require "spec_helper"
 
 describe SafeYAML::Transform::ToSymbol do
   def with_symbol_deserialization_value(value)

data/spec/yaml_spec.rb

@@ -1,6 +1,6 @@
 # See https://github.com/dtao/safe_yaml/issues/47
 
-require File.join(File.dirname(__FILE__), "spec_helper")
+require "spec_helper"
 
 describe YAML do
   context "when you've only required safe_yaml/load", :libraries => true do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-10 00:00:00.000000000 Z
+date: 2014-04-04 00:00:00.000000000 Z
 dependencies: []
 description: Parse YAML safely
 email: daniel.tao@gmail.com
@@ -16,8 +16,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .travis.yml
+- ".gitignore"
+- ".travis.yml"
 - CHANGES.md
 - Gemfile
 - LICENSE.txt
@@ -74,12 +74,12 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []