safe_yaml 1.0.2 → 1.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6cf9f3e405ec65c54f30eaec331423a67877dc34
-  data.tar.gz: 0cf7116a88485be0057ff010ab330569391a9e2e
+  metadata.gz: fac2ccd0e0ff144a5b72c1597d16206e9c401753
+  data.tar.gz: c13a8b54286042faf6c3c2caa9fd2ec6d436fe1e
 SHA512:
-  metadata.gz: 63cb08bcc97ac6e4bf25e1da93f047f0edf1726ea404864e7e47fc920dd3c8f8df988b7e532efbb31ef6d611c24cf43577978eee12817e273e8ea254b2f55203
-  data.tar.gz: 89be3d3d4be1c8f9dc54f7d41842a443b6d8fe71586c7d79a3002fc87a71db83809d59679f431221877fdd2fc8da3a0e88ed7b79a534b1d0cc75d2218c12f4c6
+  metadata.gz: f5bedc29148ac5d69c163793ef490ad22261c63ca7b390e80f4a405d62a7ccef5d91520344b6901ca785db584bbf197b0ec4a2c55170fa6b6adce6b077151f41
+  data.tar.gz: 77a93e398b12f8661b8fc9ab672b4d5278e5c4e2e6a7c615ee162934ad5b0c23867a94e3d2425f543563e5e04890fc76f96e7e25c99ccc8c94740c1e948212ae

data/README.md

@@ -172,6 +172,7 @@ Also be aware that some Ruby libraries, particularly those requiring inter-proce
   1. set the `:deserialize_symbols` option to `true`,
   2. whitelist some of the types in your serialized data via `SafeYAML.whitelist!` or the `:whitelisted_tags` option, or
   3. both
+- [**delayed_job**](https://github.com/collectiveidea/delayed_job): Uses YAML to serialize the objects on which delayed methods are invoked (with `delay`). The safest solution in this case is to use `SafeYAML.whitelist!` to whitelist the types you need to serialize.
 - [**Guard**](https://github.com/guard/guard): Uses YAML as a serialization format for notifications. The data serialized uses symbolic keys, so setting `SafeYAML::OPTIONS[:deserialize_symbols] = true` is necessary to allow Guard to work.
 - [**sidekiq**](https://github.com/mperham/sidekiq): Uses a YAML configiuration file with symbolic keys, so setting `SafeYAML::OPTIONS[:deserialize_symbols] = true` should allow it to work.
 

data/bin/safe_yaml

@@ -0,0 +1,75 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH << File.join(File.dirname(__FILE__), '..', 'lib')
+
+require 'optparse'
+require 'safe_yaml/load'
+
+options = {}
+option_parser = OptionParser.new do |opts|
+  opts.banner = "Usage: safe_yaml [options]"
+
+  opts.on("-f", "--file=<path>", "Parse the given YAML file, dump the result to STDOUT") do |file|
+    options[:file] = file
+  end
+
+  opts.on("--libyaml-check", "Check for libyaml vulnerability CVE-2014-2525 on your system") do
+    options[:libyaml_check] = true
+  end
+end
+
+option_parser.parse!
+
+def report_libyaml_ok
+  puts "\e[32mGood news! You definitely have either a patched or up-to-date libyaml version :)\e[39m"
+end
+
+def check_for_overflow_bug
+  YAML.load("--- !#{'%20' * 100}")
+  report_libyaml_ok
+end
+
+def perform_libyaml_check(force=false)
+  unless SafeYAML::LibyamlChecker.libyaml_version_ok?
+    warn <<-EOM.gsub(/^ +/, '  ')
+
+      \e[33mSafeYAML Warning\e[39m
+      \e[33m----------------\e[39m
+
+      \e[31mYou may have an outdated version of libyaml (#{SafeYAML::LibyamlChecker::LIBYAML_VERSION}) installed on your system.\e[39m
+
+      Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.
+
+      For more info, see:
+      https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
+    EOM
+  end
+
+  puts <<-EOM.gsub(/^ +/, '  ')
+
+    Hit Enter to check if your version of libyaml is vulnerable. This will run a test \e[31mwhich may crash\e[39m
+    \e[31mthe current process\e[39m. If it does, your system is vulnerable and you should do something about it.
+
+    Type "nm" and hit Enter if you don't want to run the check.
+
+    See the project wiki for more info:
+
+    https://github.com/dtao/safe_yaml/wiki/The-libyaml-vulnerability
+  EOM
+
+  if STDIN.readline.chomp("\n") != 'nm'
+    check_for_overflow_bug
+  end
+end
+
+if options[:libyaml_check]
+  perform_libyaml_check(options[:force_libyaml_check])
+
+elsif options[:file]
+  yaml = File.read(options[:file])
+  result = SafeYAML.load(yaml)
+  puts result.inspect
+
+else
+  puts option_parser.help
+end

data/lib/safe_yaml/libyaml_checker.rb

@@ -0,0 +1,36 @@
+require "set"
+
+module SafeYAML
+  class LibyamlChecker
+    LIBYAML_VERSION = Psych::LIBYAML_VERSION rescue nil
+
+    # Do proper version comparison (e.g. so 0.1.10 is >= 0.1.6)
+    SAFE_LIBYAML_VERSION = Gem::Version.new("0.1.6")
+
+    KNOWN_PATCHED_LIBYAML_VERSIONS = Set.new([
+      # http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-2525.html
+      "0.1.4-2ubuntu0.12.04.3",
+      "0.1.4-2ubuntu0.12.10.3",
+      "0.1.4-2ubuntu0.13.10.3",
+      "0.1.4-3ubuntu3",
+
+      # https://security-tracker.debian.org/tracker/CVE-2014-2525
+      "0.1.3-1+deb6u4",
+      "0.1.4-2+deb7u4",
+      "0.1.4-3.2"
+    ]).freeze
+
+    def self.libyaml_version_ok?
+      return true if YAML_ENGINE != "psych" || defined?(JRUBY_VERSION)
+      return true if Gem::Version.new(LIBYAML_VERSION || "0") >= SAFE_LIBYAML_VERSION
+      return libyaml_patched?
+    end
+
+    def self.libyaml_patched?
+      return false if (`which dpkg` rescue '').empty?
+      libyaml_version = `dpkg -s libyaml-0-2`.match(/^Version: (.*)$/)
+      return false if libyaml_version.nil?
+      KNOWN_PATCHED_LIBYAML_VERSIONS.include?(libyaml_version[1])
+    end
+  end
+end

data/lib/safe_yaml/load.rb

@@ -1,38 +1,13 @@
+require "set"
 require "yaml"
 
 # This needs to be defined up front in case any internal classes need to base
 # their behavior off of this.
 module SafeYAML
   YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
-  LIBYAML_VERSION = YAML_ENGINE == "psych" && Psych.const_defined?("LIBYAML_VERSION", false) ? Psych::LIBYAML_VERSION : nil
-
-  def self.check_libyaml_version
-    if YAML_ENGINE == "psych" && (LIBYAML_VERSION.nil? || LIBYAML_VERSION < "0.1.6")
-      Kernel.warn <<-EOWARNING.gsub(/^ +/, '  ')
-
-        \e[33mSafeYAML Warning\e[39m
-        \e[33m----------------\e[39m
-
-        \e[31mYou appear to have an outdated version of libyaml (#{LIBYAML_VERSION}) installed on your system.\e[39m
-
-        Prior to 0.1.6, libyaml is vulnerable to a heap overflow exploit from malicious YAML payloads.
-
-        For more info, see:
-        https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/
-
-        The easiest thing to do right now is probably to update Psych to the latest version and enable
-        the 'bundled-libyaml' option, which will install a vendored libyaml with the vulnerability patched:
-
-        \e[32mgem install psych -- --enable-bundled-libyaml\e[39m
-
-      EOWARNING
-    end
-  end
 end
 
-SafeYAML.check_libyaml_version
-
-require "set"
+require "safe_yaml/libyaml_checker"
 require "safe_yaml/deep"
 require "safe_yaml/parse/hexadecimal"
 require "safe_yaml/parse/sexagesimal"

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "1.0.2"
+  VERSION = "1.0.3"
 end

data/safe_yaml.gemspec

@@ -13,6 +13,7 @@ Gem::Specification.new do |gem|
   gem.files         = `git ls-files`.split($\)
   gem.test_files    = gem.files.grep(%r{^spec/})
   gem.require_paths = ["lib"]
+  gem.executables   = ["safe_yaml"]
 
   gem.required_ruby_version = ">= 1.8.7"
 end

data/spec/libyaml_checker_spec.rb

@@ -0,0 +1,69 @@
+require "spec_helper"
+
+describe SafeYAML::LibyamlChecker do
+  describe "check_libyaml_version" do
+    REAL_YAML_ENGINE = SafeYAML::YAML_ENGINE
+    REAL_LIBYAML_VERSION = SafeYAML::LibyamlChecker::LIBYAML_VERSION
+
+    let(:libyaml_patched) { false }
+
+    before :each do
+      SafeYAML::LibyamlChecker.stub(:libyaml_patched?).and_return(libyaml_patched)
+    end
+
+    after :each do
+      silence_warnings do
+        SafeYAML::YAML_ENGINE = REAL_YAML_ENGINE
+        SafeYAML::LibyamlChecker::LIBYAML_VERSION = REAL_LIBYAML_VERSION
+      end
+    end
+
+    def test_libyaml_version_ok(expected_result, yaml_engine, libyaml_version=nil)
+      silence_warnings do
+        SafeYAML.const_set("YAML_ENGINE", yaml_engine)
+        SafeYAML::LibyamlChecker.const_set("LIBYAML_VERSION", libyaml_version)
+        SafeYAML::LibyamlChecker.libyaml_version_ok?.should == expected_result
+      end
+    end
+
+    unless defined?(JRUBY_VERSION)
+      it "issues no warnings when 'Syck' is the YAML engine" do
+        test_libyaml_version_ok(true, "syck")
+      end
+
+      it "issues a warning if Psych::LIBYAML_VERSION is not defined" do
+        test_libyaml_version_ok(false, "psych")
+      end
+
+      it "issues a warning if Psych::LIBYAML_VERSION is < 0.1.6" do
+        test_libyaml_version_ok(false, "psych", "0.1.5")
+      end
+
+      it "issues no warning if Psych::LIBYAML_VERSION is == 0.1.6" do
+        test_libyaml_version_ok(true, "psych", "0.1.6")
+      end
+
+      it "issues no warning if Psych::LIBYAML_VERSION is > 0.1.6" do
+        test_libyaml_version_ok(true, "psych", "1.0.0")
+      end
+
+      it "does a proper version comparison (not just a string comparison)" do
+        test_libyaml_version_ok(true, "psych", "0.1.10")
+      end
+
+      context "when the system has a known patched libyaml version" do
+        let(:libyaml_patched) { true }
+
+        it "issues no warning, even when Psych::LIBYAML_VERSION < 0.1.6" do
+          test_libyaml_version_ok(true, "psych", "0.1.4")
+        end
+      end
+    end
+
+    if defined?(JRUBY_VERSION)
+      it "issues no warning, as JRuby doesn't use libyaml" do
+        test_libyaml_version_ok(true, "psych", "0.1.4")
+      end
+    end
+  end
+end

data/spec/safe_yaml_spec.rb

@@ -1,14 +1,6 @@
 require "spec_helper"
 
 describe YAML do
-  # Essentially stolen from:
-  # https://github.com/rails/rails/blob/3-2-stable/activesupport/lib/active_support/core_ext/kernel/reporting.rb#L10-25
-  def silence_warnings
-    $VERBOSE = nil; yield
-  ensure
-    $VERBOSE = true
-  end
-
   def safe_load_round_trip(object, options={})
     yaml = object.to_yaml
     if SafeYAML::YAML_ENGINE == "psych"
@@ -32,47 +24,6 @@ describe YAML do
     SafeYAML.restore_defaults!
   end
 
-  describe "check_libyaml_version" do
-    REAL_YAML_ENGINE = SafeYAML::YAML_ENGINE
-    REAL_LIBYAML_VERSION = SafeYAML::LIBYAML_VERSION
-
-    after :each do
-      silence_warnings do
-        SafeYAML::YAML_ENGINE = REAL_YAML_ENGINE
-        SafeYAML::LIBYAML_VERSION = REAL_LIBYAML_VERSION
-      end
-    end
-
-    def test_check_libyaml_version(warning_expected, yaml_engine, libyaml_version=nil)
-      silence_warnings do
-        SafeYAML.const_set("YAML_ENGINE", yaml_engine)
-        SafeYAML.const_set("LIBYAML_VERSION", libyaml_version)
-        Kernel.send(warning_expected ? :should_receive : :should_not_receive, :warn)
-        SafeYAML.check_libyaml_version
-      end
-    end
-
-    it "issues no warnings when 'Syck' is the YAML engine" do
-      test_check_libyaml_version(false, "syck")
-    end
-
-    it "issues a warning if Psych::LIBYAML_VERSION is not defined" do
-      test_check_libyaml_version(true, "psych")
-    end
-
-    it "issues a warning if Psych::LIBYAML_VERSION is < 0.1.6" do
-      test_check_libyaml_version(true, "psych", "0.1.5")
-    end
-
-    it "issues no warning if Psych::LIBYAML_VERSION is == 0.1.6" do
-      test_check_libyaml_version(false, "psych", "0.1.6")
-    end
-
-    it "issues no warning if Psych::LIBYAML_VERSION is > 0.1.6" do
-      test_check_libyaml_version(false, "psych", "1.0.0")
-    end
-  end
-
   describe "unsafe_load" do
     if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3"
       it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do

data/spec/spec_helper.rb

@@ -31,4 +31,12 @@ require "ostruct"
 require "hashie"
 require "heredoc_unindent"
 
+# Stolen from Rails:
+# https://github.com/rails/rails/blob/3-2-stable/activesupport/lib/active_support/core_ext/kernel/reporting.rb#L10-25
+def silence_warnings
+  $VERBOSE = nil; yield
+ensure
+  $VERBOSE = true
+end
+
 require File.join(HERE, "resolver_specs")

metadata

@@ -1,31 +1,34 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.0.3
 platform: ruby
 authors:
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-04 00:00:00.000000000 Z
+date: 2014-04-22 00:00:00.000000000 Z
 dependencies: []
 description: Parse YAML safely
 email: daniel.tao@gmail.com
-executables: []
+executables:
+- safe_yaml
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".travis.yml"
+- .gitignore
+- .travis.yml
 - CHANGES.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
+- bin/safe_yaml
 - bundle_install_all_ruby_versions.sh
 - lib/safe_yaml.rb
 - lib/safe_yaml/deep.rb
+- lib/safe_yaml/libyaml_checker.rb
 - lib/safe_yaml/load.rb
 - lib/safe_yaml/parse/date.rb
 - lib/safe_yaml/parse/hexadecimal.rb
@@ -52,6 +55,7 @@ files:
 - spec/exploit.1.9.3.yaml
 - spec/issue48.txt
 - spec/issue49.yml
+- spec/libyaml_checker_spec.rb
 - spec/psych_resolver_spec.rb
 - spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb
@@ -74,17 +78,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: SameYAML provides an alternative implementation of YAML.load suitable for
@@ -94,6 +98,7 @@ test_files:
 - spec/exploit.1.9.3.yaml
 - spec/issue48.txt
 - spec/issue49.yml
+- spec/libyaml_checker_spec.rb
 - spec/psych_resolver_spec.rb
 - spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb