safe_yaml 0.2.2 → 0.3

data/Gemfile

@@ -4,6 +4,7 @@ gemspec
 
 group :development do
   gem "heredoc_unindent"
+  gem "pry"
   gem "rake"
   gem "rspec"
 end

data/Gemfile.lock

@@ -1,13 +1,19 @@
 PATH
   remote: .
   specs:
-    safe_yaml (0.1)
+    safe_yaml (0.2.2)
 
 GEM
   remote: http://rubygems.org/
   specs:
+    coderay (1.0.8)
     diff-lcs (1.1.3)
     heredoc_unindent (1.1.2)
+    method_source (0.8.1)
+    pry (0.9.11.2)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.4)
     rake (10.0.3)
     rspec (2.12.0)
       rspec-core (~> 2.12.0)
@@ -17,12 +23,14 @@ GEM
     rspec-expectations (2.12.1)
       diff-lcs (~> 1.1.3)
     rspec-mocks (2.12.1)
+    slop (3.4.3)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   heredoc_unindent
+  pry
   rake
   rspec
   safe_yaml!

data/README.md

@@ -1,7 +1,7 @@
 SafeYAML
 ========
 
-*Parse (simple) YAML safely, without that pesky arbitrary code execution vulnerability.*
+*Parse YAML safely, without that pesky arbitrary code execution vulnerability.*
 
 ***
 
@@ -38,4 +38,4 @@ With `YAML.safe_load`, that attacker would be thwarted:
     > YAML.safe_load(yaml)
     => {"foo; end; puts %(I'm in yr system!); def bar"=>"baz"} 
 
-SafeYAML requires Ruby 1.9.2 or newer. Maybe I'll get around to writing a Syck handler eventually, at which point it could support older versions as well.
+SafeYAML requires Ruby 1.8.7 or newer and works with both [Syck](http://www.ruby-doc.org/stdlib-1.8.7/libdoc/yaml/rdoc/YAML.html) and [Psych](http://github.com/tenderlove/psych).

data/lib/safe_yaml/{handler.rb → psych_handler.rb}

@@ -1,20 +1,7 @@
 require "psych"
-require "yaml"
 
 module SafeYAML
-  class Handler < Psych::Handler
-    PREDEFINED_VALUES = {
-      ""      => nil,
-      "~"     => nil,
-      "null"  => nil,
-      "yes"   => true,
-      "on"    => true,
-      "true"  => true,
-      "no"    => false,
-      "off"   => false,
-      "false" => false
-    }.freeze
-
+  class PsychHandler < Psych::Handler
     def initialize
       @anchors = {}
       @stack = []
@@ -25,7 +12,7 @@ module SafeYAML
     end
 
     def add_to_current_structure(value, anchor=nil)
-      value = transform_value(value)
+      value = Transform.to_proper_type(value)
 
       @anchors[anchor] = value if anchor
 
@@ -58,25 +45,6 @@ module SafeYAML
       end
     end
 
-    def transform_value(value)
-      if value.is_a?(String)
-        if PREDEFINED_VALUES.include?(value.downcase)
-          return PREDEFINED_VALUES[value.downcase]
-
-        elsif value.match(/^:\w+$/)
-          return value[1..-1].to_sym
-
-        elsif value.match(/^\d+$/)
-          return value.to_i
-
-        elsif value.match(/^\d+(?:\.\d*)?$/) || value.match(/^\.\d+$/)
-          return value.to_f
-        end
-      end
-
-      value
-    end
-
     def end_current_structure
       @stack.pop
       @current_structure = @stack.last

data/lib/safe_yaml/syck_resolver.rb

@@ -0,0 +1,49 @@
+module SafeYAML
+  class SyckResolver
+    def initialize
+      @anchors = {}
+    end
+
+    def resolve_tree(tree)
+      case tree.kind
+      when :map
+        return resolve_map(tree.value)
+      when :seq
+        return resolve_seq(tree.value)
+      else
+        raise "Don't know how to resolve a #{tree.kind} tree!"
+      end
+    end
+
+    def resolve_node(node)
+      case node.kind
+      when :map
+        return resolve_map(node.value)
+      when :seq
+        return resolve_seq(node.value)
+      when :scalar
+        return resolve_scalar(node.value)
+      end
+    end
+
+    def resolve_map(map)
+      hash = {}
+      map.each do |key_node, value_node|
+        if resolve_node(key_node) == "<<"
+          hash.merge!(resolve_node(value_node))
+        else
+          hash[resolve_node(key_node)] = resolve_node(value_node)
+        end
+      end
+      return hash
+    end
+
+    def resolve_seq(seq)
+      seq.map { |node| resolve_node(node) }
+    end
+
+    def resolve_scalar(scalar)
+      Transform.to_proper_type(scalar)
+    end
+  end
+end

data/lib/safe_yaml/transform.rb

@@ -0,0 +1,34 @@
+module SafeYAML
+  class Transform
+    PREDEFINED_VALUES = {
+      ""      => nil,
+      "~"     => nil,
+      "null"  => nil,
+      "yes"   => true,
+      "on"    => true,
+      "true"  => true,
+      "no"    => false,
+      "off"   => false,
+      "false" => false
+    }.freeze
+
+    def self.to_proper_type(value)
+      if value.is_a?(String)
+        if PREDEFINED_VALUES.include?(value.downcase)
+          return PREDEFINED_VALUES[value.downcase]
+
+        elsif value.match(/^:\w+$/)
+          return value[1..-1].to_sym
+
+        elsif value.match(/^\d+$/)
+          return value.to_i
+
+        elsif value.match(/^\d+(?:\.\d*)?$/) || value.match(/^\.\d+$/)
+          return value.to_f
+        end
+      end
+
+      value
+    end
+  end
+end

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.2.2"
+  VERSION = "0.3"
 end

data/lib/safe_yaml.rb

@@ -1,10 +1,22 @@
-require "safe_yaml/handler"
+require "yaml"
+require "safe_yaml/transform"
 require "safe_yaml/version"
 
 module YAML
-  def self.safe_load(yaml)
-    safe_handler = SafeYAML::Handler.new
-    Psych::Parser.new(safe_handler).parse(yaml)
-    return safe_handler.result
+  if RUBY_VERSION >= "1.9.2"
+    require "safe_yaml/psych_handler"
+    def self.safe_load(yaml)
+      safe_handler = SafeYAML::PsychHandler.new
+      Psych::Parser.new(safe_handler).parse(yaml)
+      return safe_handler.result
+    end
+
+  else
+    require "safe_yaml/syck_resolver"
+    def self.safe_load(yaml)
+      safe_resolver = SafeYAML::SyckResolver.new
+      tree = YAML.parse(yaml)
+      return safe_resolver.resolve_tree(tree)
+    end
   end
 end

data/safe_yaml.gemspec

@@ -6,13 +6,13 @@ Gem::Specification.new do |gem|
   gem.version       = SafeYAML::VERSION
   gem.authors       = "Dan Tao"
   gem.email         = "daniel.tao@gmail.com"
-  gem.description   = %q{Parse (simple) YAML safely, without that pesky arbitrary code execution vulnerability.}
+  gem.description   = %q{Parse YAML safely, without that pesky arbitrary code execution vulnerability.}
   gem.summary       = %q{SameYAML adds a ::safe_load method to Ruby's built-in YAML module to parse YAML data for only basic types (strings, symbols, numbers, arrays, and hashes).}
-  gem.homepage      = "http://dtao.github.com/safe_yaml/"
+  gem.homepage      = "http://github.com/dtao/safe_yaml"
 
   gem.files         = `git ls-files`.split($\)
   gem.test_files    = gem.files.grep(%r{^spec/})
   gem.require_paths = ["lib"]
 
-  gem.required_ruby_version = ">= 1.9.2"
+  gem.required_ruby_version = ">= 1.8.7"
 end

data/spec/psych_handler_spec.rb

@@ -0,0 +1,17 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+if RUBY_VERSION >= "1.9.2"
+  require "safe_yaml/psych_handler"
+
+  describe SafeYAML::PsychHandler do
+    let(:handler) { SafeYAML::PsychHandler.new }
+    let(:parser) { Psych::Parser.new(handler) }
+    let(:result) { handler.result }
+
+    def parse(yaml)
+      parser.parse(yaml.unindent)
+    end
+
+    include SharedSpecs
+  end
+end

data/spec/safe_yaml_spec.rb

@@ -4,33 +4,36 @@ require "safe_yaml"
 require "exploitable_back_door"
 
 describe YAML do
-  before :each do
-    ExploitableBackDoor.reset
-  end
-
   describe "load" do
     if RUBY_VERSION >= "1.9.3"
-      it "allows exploits through objects defined in YAML w/ !ruby/hash" do
-        YAML.load "--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n"
-        ExploitableBackDoor.should be_exploited
+      it "allows exploits through objects defined in YAML w/ !ruby/hash through custom :[]= methods" do
+        backdoor = YAML.load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
+        backdoor.should be_exploited_through_setter
+      end
+    end
+
+    if RUBY_VERSION >= "1.9.2"
+      it "allows exploits through objects defined in YAML w/ !ruby/object through" do
+        backdoor = YAML.load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
+        backdoor.should be_exploited_through_init_with
       end
     end
 
-    it "allows exploits through objects defined in YAML w/ !ruby/object" do
-      YAML.load "--- !ruby/object:ExploitableBackDoor\nfoo: bar\n"
-      ExploitableBackDoor.should be_exploited
+    it "allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object" do
+      backdoor = YAML.load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
+      backdoor.should be_exploited_through_ivars
     end
   end
 
   describe "safe_load" do
-    it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do
-      YAML.safe_load "--- !ruby/object:ExploitableBackDoor\nfoo: bar\n"
-      ExploitableBackDoor.should_not be_exploited
+    it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do
+      object = YAML.safe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
+      object.should_not be_a(ExploitableBackDoor)
     end
 
-    it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do
-      YAML.safe_load "--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n"
-      ExploitableBackDoor.should_not be_exploited
+    it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do
+      object = YAML.safe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
+      object.should_not be_a(ExploitableBackDoor)
     end
 
     it "loads a plain ol' YAML document just fine" do
@@ -53,5 +56,48 @@ describe YAML do
         }
       }
     end
+
+    it "works for YAML documents with anchors and aliases" do
+      result = YAML.safe_load <<-YAML
+        - &id001 {}
+        - *id001
+        - *id001
+      YAML
+
+      result.should == [{}, {}, {}]
+    end
+
+    it "works for YAML documents with sections" do
+      result = YAML.safe_load <<-YAML
+        mysql: &foo
+          adapter: mysql
+          pool: 30
+        login: &login
+          username: dan
+          password: gobbledygook
+        local: &local
+          <<: *foo
+          <<: *login
+          host: localhost
+      YAML
+
+      result.should == {
+        "mysql" => {
+          "adapter" => "mysql",
+          "pool"    => 30
+        },
+        "login" => {
+          "username" => "dan",
+          "password" => "gobbledygook"
+        },
+        "local" => {
+          "adapter"  => "mysql",
+          "pool"     => 30,
+          "username" => "dan",
+          "password" => "gobbledygook",
+          "host"     => "localhost"
+        }
+      }
+    end
   end
 end

data/spec/shared_specs.rb

@@ -0,0 +1,125 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+require "safe_yaml/transform"
+
+module SharedSpecs
+  def self.included(base)
+    base.instance_eval do
+      it "translates most values to strings" do
+        parse "key: value"
+        result.should == { "key" => "value" }
+      end
+
+      it "translates values starting with ':' to symbols" do
+        parse ":key: value"
+        result.should == { :key => "value" }
+      end
+
+      it "translates valid integral numbers to integers" do
+        parse "integer: 1"
+        result.should == { "integer" => 1 }
+      end
+
+      it "translates valid decimal numbers to floats" do
+        parse "float: 3.14"
+        result.should == { "float" => 3.14 }
+      end
+
+      it "translates valid true/false values to booleans" do
+        parse <<-YAML
+          - yes
+          - true
+          - no
+          - false
+        YAML
+
+        result.should == [true, true, false, false]
+      end
+
+      it "translates valid nulls to nil" do
+        parse <<-YAML
+          - 
+          - ~
+          - null
+        YAML
+
+        result.should == [nil] * 3
+      end
+
+      it "applies the same transformations to values as to keys" do
+        parse <<-YAML
+          string: value
+          symbol: :value
+          integer: 1
+          float: 3.14
+        YAML
+
+        result.should == {
+          "string" => "value",
+          "symbol" => :value,
+          "integer" => 1,
+          "float" => 3.14
+        }
+      end
+
+      it "translates sequences to arrays" do
+        parse <<-YAML
+          - foo
+          - bar
+          - baz
+        YAML
+
+        result.should == ["foo", "bar", "baz"]
+      end
+
+      it "applies the same transformations to elements in sequences as to all values" do
+        parse <<-YAML
+          - string
+          - :symbol
+          - 1
+          - 3.14
+        YAML
+
+        result.should == ["string", :symbol, 1, 3.14]
+      end
+
+      it "translates maps to hashes" do
+        parse <<-YAML
+          foo: blah
+          bar: glah
+          baz: flah
+        YAML
+
+        result.should == {
+          "foo" => "blah",
+          "bar" => "glah",
+          "baz" => "flah"
+        }
+      end
+
+      it "applies the same transformations to values in hashes as to all values" do
+        parse <<-YAML
+          foo: :symbol
+          bar: 1
+          baz: 3.14
+        YAML
+
+        result.should == {
+          "foo" => :symbol,
+          "bar" => 1,
+          "baz" => 3.14
+        }
+      end
+
+      it "deals just fine with nested maps" do
+        parse <<-YAML
+          foo:
+            bar:
+              marco: polo
+        YAML
+
+        result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -5,3 +5,6 @@ $LOAD_PATH << File.join(ROOT, "lib")
 $LOAD_PATH << File.join(HERE, "support")
 
 require "heredoc_unindent"
+require "pry"
+
+require File.join(HERE, "shared_specs")

data/spec/support/exploitable_back_door.rb

@@ -1,23 +1,29 @@
 class ExploitableBackDoor
-  @@exploited = false
+  def exploited?
+    @exploited_through_setter || @exploited_through_init_with || @exploited_through_ivars
+  end
+
+  def exploited_through_setter?
+    @exploited_through_setter
+  end
 
-  def self.exploited?
-    @@exploited
+  def exploited_through_init_with?
+    @exploited_through_init_with
   end
 
-  def self.reset
-    @@exploited = false
+  def exploited_through_ivars?
+    self.instance_variables.any?
   end
 
   def init_with(command)
     # Note: this is how bad this COULD be.
     # system("#{command}")
-    @@exploited = true
+    @exploited_through_init_with = true
   end
 
   def []=(command, arguments)
     # Note: this is how bad this COULD be.
     # system("#{command} #{arguments}")
-    @@exploited = true
+    @exploited_through_setter = true
   end
 end

data/spec/syck_resolver_spec.rb

@@ -0,0 +1,17 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+if RUBY_VERSION < "1.9.2"
+  require "safe_yaml/syck_resolver"
+
+  describe SafeYAML::SyckResolver do
+    let(:resolver) { SafeYAML::SyckResolver.new }
+    let(:result) { @result }
+
+    def parse(yaml)
+      tree = YAML.parse(yaml.unindent)
+      @result = resolver.resolve_tree(tree)
+    end
+
+    include SharedSpecs
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: '0.3'
   prerelease: 
 platform: ruby
 authors:
@@ -9,10 +9,9 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-17 00:00:00.000000000 Z
+date: 2013-01-18 00:00:00.000000000 Z
 dependencies: []
-description: Parse (simple) YAML safely, without that pesky arbitrary code execution
-  vulnerability.
+description: Parse YAML safely, without that pesky arbitrary code execution vulnerability.
 email: daniel.tao@gmail.com
 executables: []
 extensions: []
@@ -24,14 +23,18 @@ files:
 - README.md
 - Rakefile
 - lib/safe_yaml.rb
-- lib/safe_yaml/handler.rb
+- lib/safe_yaml/psych_handler.rb
+- lib/safe_yaml/syck_resolver.rb
+- lib/safe_yaml/transform.rb
 - lib/safe_yaml/version.rb
 - safe_yaml.gemspec
-- spec/handler_spec.rb
+- spec/psych_handler_spec.rb
 - spec/safe_yaml_spec.rb
+- spec/shared_specs.rb
 - spec/spec_helper.rb
 - spec/support/exploitable_back_door.rb
-homepage: http://dtao.github.com/safe_yaml/
+- spec/syck_resolver_spec.rb
+homepage: http://github.com/dtao/safe_yaml
 licenses: []
 post_install_message: 
 rdoc_options: []
@@ -42,7 +45,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
-      version: 1.9.2
+      version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -57,7 +60,9 @@ specification_version: 3
 summary: SameYAML adds a ::safe_load method to Ruby's built-in YAML module to parse
   YAML data for only basic types (strings, symbols, numbers, arrays, and hashes).
 test_files:
-- spec/handler_spec.rb
+- spec/psych_handler_spec.rb
 - spec/safe_yaml_spec.rb
+- spec/shared_specs.rb
 - spec/spec_helper.rb
 - spec/support/exploitable_back_door.rb
+- spec/syck_resolver_spec.rb

data/spec/handler_spec.rb

@@ -1,172 +0,0 @@
-require File.join(File.dirname(__FILE__), "spec_helper")
-
-require "safe_yaml/handler"
-
-describe SafeYAML::Handler do
-  let(:handler) { SafeYAML::Handler.new }
-  let(:parser) { Psych::Parser.new(handler) }
-  let(:result) { handler.result }
-
-  def parse(yaml)
-    parser.parse(yaml.unindent)
-  end
-
-  it "translates most values to strings" do
-    parser.parse "key: value"
-    result.should == { "key" => "value" }
-  end
-
-  it "translates values starting with ':' to symbols" do
-    parser.parse ":key: value"
-    result.should == { :key => "value" }
-  end
-
-  it "translates valid integral numbers to integers" do
-    parser.parse "integer: 1"
-    result.should == { "integer" => 1 }
-  end
-
-  it "translates valid decimal numbers to floats" do
-    parser.parse "float: 3.14"
-    result.should == { "float" => 3.14 }
-  end
-
-  it "translates valid true/false values to booleans" do
-    parser.parse <<-YAML
-      - yes
-      - true
-      - no
-      - false
-    YAML
-
-    result.should == [true, true, false, false]
-  end
-
-  it "translates valid nulls to nil" do
-    parser.parse <<-YAML
-      - 
-      - ~
-      - null
-    YAML
-
-    result.should == [nil] * 3
-  end
-
-  it "applies the same transformations to values as to keys" do
-    parse <<-YAML
-      string: value
-      symbol: :value
-      integer: 1
-      float: 3.14
-    YAML
-
-    result.should == {
-      "string" => "value",
-      "symbol" => :value,
-      "integer" => 1,
-      "float" => 3.14
-    }
-  end
-
-  it "translates sequences to arrays" do
-    parse <<-YAML
-      - foo
-      - bar
-      - baz
-    YAML
-
-    result.should == ["foo", "bar", "baz"]
-  end
-
-  it "applies the same transformations to elements in sequences as to all values" do
-    parse <<-YAML
-      - string
-      - :symbol
-      - 1
-      - 3.14
-    YAML
-
-    result.should == ["string", :symbol, 1, 3.14]
-  end
-
-  it "translates maps to hashes" do
-    parse <<-YAML
-      foo: blah
-      bar: glah
-      baz: flah
-    YAML
-
-    result.should == {
-      "foo" => "blah",
-      "bar" => "glah",
-      "baz" => "flah"
-    }
-  end
-
-  it "applies the same transformations to values in hashes as to all values" do
-    parse <<-YAML
-      foo: :symbol
-      bar: 1
-      baz: 3.14
-    YAML
-
-    result.should == {
-      "foo" => :symbol,
-      "bar" => 1,
-      "baz" => 3.14
-    }
-  end
-
-  it "deals just fine with nested maps" do
-    parse <<-YAML
-      foo:
-        bar:
-          marco: polo
-    YAML
-
-    result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
-  end
-
-  it "deals just fine with aliases and anchors" do
-    parse <<-YAML
-      - &id001 {}
-      - *id001
-      - *id001
-    YAML
-
-    result.should == [{}, {}, {}]
-  end
-
-  it "deals just fine with sections" do
-    parse <<-YAML
-      mysql: &mysql
-        adapter: mysql
-        pool: 30
-      login: &login
-        username: dan
-        password: gobbledygook
-      local: &local
-        <<: *mysql
-        <<: *login
-        host: localhost
-    YAML
-
-    result.should == {
-      "mysql" => {
-        "adapter" => "mysql",
-        "pool"    => 30
-      },
-      "login" => {
-        "username" => "dan",
-        "password" => "gobbledygook"
-      },
-      "local" => {
-        "adapter"  => "mysql",
-        "pool"     => 30,
-        "username" => "dan",
-        "password" => "gobbledygook",
-        "host"     => "localhost"
-      }
-    }
-  end
-end