safe_yaml 0.3 → 0.4

data/Gemfile

@@ -4,7 +4,6 @@ gemspec
 
 group :development do
   gem "heredoc_unindent"
-  gem "pry"
   gem "rake"
   gem "rspec"
 end

data/Gemfile.lock

@@ -1,19 +1,13 @@
 PATH
   remote: .
   specs:
-    safe_yaml (0.2.2)
+    safe_yaml (0.3)
 
 GEM
   remote: http://rubygems.org/
   specs:
-    coderay (1.0.8)
     diff-lcs (1.1.3)
     heredoc_unindent (1.1.2)
-    method_source (0.8.1)
-    pry (0.9.11.2)
-      coderay (~> 1.0.5)
-      method_source (~> 0.8)
-      slop (~> 3.4)
     rake (10.0.3)
     rspec (2.12.0)
       rspec-core (~> 2.12.0)
@@ -23,14 +17,12 @@ GEM
     rspec-expectations (2.12.1)
       diff-lcs (~> 1.1.3)
     rspec-mocks (2.12.1)
-    slop (3.4.3)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   heredoc_unindent
-  pry
   rake
   rspec
   safe_yaml!

data/README.md

@@ -1,41 +1,84 @@
 SafeYAML
 ========
 
-*Parse YAML safely, without that pesky arbitrary code execution vulnerability.*
+The **SafeYAML** gem provides an alternative implementation of `YAML.load` suitable for accepting user input in Ruby applications. Unlike Ruby's built-in implementation of `YAML.load`, SafeYAML's version will not expose apps to arbitrary code execution exploits (such as [the one recently discovered in Rails](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/)).
 
-***
+Installation
+------------
 
-The **safe_yaml** gem offers an alternative to `YAML.load` suitable for accepting user input. Unlike `YAML.load`, `YAML.safe_load` will *not* expose your Ruby app to arbitrary code execution exploits (such as [the one recently discovered in Rails](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/)).
+Add this line to your application's Gemfile:
 
-Observe!
+    gem "safe_yaml"
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install safe_yaml
+
+Usage
+-----
+
+Suppose your application were to contain some code like this:
 
 ```ruby
-class ExploitableMap
+class ExploitableClassBuilder
   def []=(key, value)
-    self.class.class_eval <<-EOS
+    @class ||= Class.new
+
+    @class.class_eval <<-EOS
       def #{key}
-        return "#{value}"
+        #{value}
       end
     EOS
   end
+
+  def create
+    @class.new
+  end
 end
 ```
 
-If your application were to contain code like this and use `YAML.load` anywhere on user input, an attacker could craft a YAML string to execute any code (yes, including `system("unix command")`) on your servers:
+Now, if you were to use `YAML.load` on user input anywhere in your application without the SafeYAML gem installed, an attacker could make a request with a carefully-crafted YAML string to execute arbitrary code (yes, including `system("unix command")`) on your servers.
+
+Observe:
 
     > yaml = <<-EOYAML
-    > --- !ruby/hash:ExploitableMap
+    > --- !ruby/hash:ExploitableClassBuilder
     > "foo; end; puts %(I'm in yr system!); def bar": "baz"
     > EOYAML
-    => "--- !ruby/hash:ExploitableMap\n\"foo; end; puts %(I'm in yr system!); def bar\": \"baz\"\n"
+    => "--- !ruby/hash:ExploitableClassBuilder\n\"foo; end; puts %(I'm in yr system!); def bar\": \"baz\"\n"
     
     > YAML.load(yaml)
     I'm in yr system!
-    => #<ExploitableMap:0x007ffadca0ca10> 
+    => #<ExploitableClassBuilder:0x007fdbbe2e25d8 @class=#<Class:0x007fdbbe2e2510>>
 
 With `YAML.safe_load`, that attacker would be thwarted:
 
-    > YAML.safe_load(yaml)
-    => {"foo; end; puts %(I'm in yr system!); def bar"=>"baz"} 
+    > require "safe_yaml"
+    => true
+    > YAML.load(yaml)
+    => {"foo; end; puts %(I'm in yr system!); def bar"=>"baz"}
+
+Notes
+-----
+
+The way that SafeYAML works is by restricting the kinds of objects that can be deserialized via `YAML.load`. More specifically, only the following types of objects can be deserialized by default:
+
+- Hashes
+- Arrays
+- Strings
+- Numbers
+- Booleans
+- Nils
+
+Additionally, symbols will also be deserialized if the `YAML.enable_symbol_parsing` option is set to `true`.
+
+For scenarios where the data to be parsed is from a trusted source and it is still desirable to deserialize arbitrary Ruby objects, the original implementation of `YAML.load` is available as `YAML.orig_load`.
+
+Requirements
+------------
 
 SafeYAML requires Ruby 1.8.7 or newer and works with both [Syck](http://www.ruby-doc.org/stdlib-1.8.7/libdoc/yaml/rdoc/YAML.html) and [Psych](http://github.com/tenderlove/psych).

data/Rakefile

@@ -2,5 +2,5 @@ require "rspec/core/rake_task"
 
 desc "Run specs"
 RSpec::Core::RakeTask.new(:spec) do |t|
-  t.rspec_opts = %w(--color --format d)
+  t.rspec_opts = %w(--color)
 end

data/lib/safe_yaml.rb

@@ -3,7 +3,20 @@ require "safe_yaml/transform"
 require "safe_yaml/version"
 
 module YAML
-  if RUBY_VERSION >= "1.9.2"
+  if RUBY_VERSION >= "1.9.3"
+    require "safe_yaml/psych_handler"
+    def self.safe_load(yaml, filename=nil)
+      safe_handler = SafeYAML::PsychHandler.new
+      Psych::Parser.new(safe_handler).parse(yaml, filename)
+      return safe_handler.result
+    end
+
+    def self.orig_load_file(filename)
+      # https://github.com/tenderlove/psych/blob/master/lib/psych.rb#L298-300
+      File.open(filename, 'r:bom|utf-8') { |f| self.orig_load f, filename }
+    end
+
+  elsif RUBY_VERSION == "1.9.2"
     require "safe_yaml/psych_handler"
     def self.safe_load(yaml)
       safe_handler = SafeYAML::PsychHandler.new
@@ -11,12 +24,35 @@ module YAML
       return safe_handler.result
     end
 
+    def self.orig_load_file(filename)
+      # https://github.com/tenderlove/psych/blob/master/lib/psych.rb#L298-300
+      File.open(filename, 'r:bom|utf-8') { |f| self.orig_load f }
+    end
+
   else
     require "safe_yaml/syck_resolver"
     def self.safe_load(yaml)
       safe_resolver = SafeYAML::SyckResolver.new
       tree = YAML.parse(yaml)
-      return safe_resolver.resolve_tree(tree)
+      return safe_resolver.resolve_node(tree)
+    end
+
+    def self.orig_load_file(filename)
+      # https://github.com/indeyets/syck/blob/master/ext/ruby/lib/yaml.rb#L133-135
+      File.open(filename) { |f| self.orig_load f }
+    end
+  end
+
+  class << self
+    alias_method :orig_load, :load
+    alias_method :load, :safe_load
+
+    def enable_symbol_parsing
+      SafeYAML::Transform::OPTIONS[:enable_symbol_parsing]
+    end
+
+    def enable_symbol_parsing=(value)
+      SafeYAML::Transform::OPTIONS[:enable_symbol_parsing] = value
     end
   end
 end

data/lib/safe_yaml/syck_resolver.rb

@@ -1,20 +1,5 @@
 module SafeYAML
   class SyckResolver
-    def initialize
-      @anchors = {}
-    end
-
-    def resolve_tree(tree)
-      case tree.kind
-      when :map
-        return resolve_map(tree.value)
-      when :seq
-        return resolve_seq(tree.value)
-      else
-        raise "Don't know how to resolve a #{tree.kind} tree!"
-      end
-    end
-
     def resolve_node(node)
       case node.kind
       when :map
@@ -23,6 +8,8 @@ module SafeYAML
         return resolve_seq(node.value)
       when :scalar
         return resolve_scalar(node.value)
+      else
+        raise "Don't know how to resolve a '#{node.kind}' node!"
       end
     end
 

data/lib/safe_yaml/transform.rb

@@ -1,5 +1,9 @@
 module SafeYAML
   class Transform
+    OPTIONS = {
+      :enable_symbol_parsing => false
+    }
+
     PREDEFINED_VALUES = {
       ""      => nil,
       "~"     => nil,
@@ -12,18 +16,24 @@ module SafeYAML
       "false" => false
     }.freeze
 
+    SYMBOL_MATCHER = /^:\w+$/.freeze
+
+    INTEGER_MATCHER = /^\d+$/.freeze
+
+    FLOAT_MATCHER = /^(?:\d+(?:\.\d*)?$)|(?:^\.\d+$)/.freeze
+
     def self.to_proper_type(value)
       if value.is_a?(String)
         if PREDEFINED_VALUES.include?(value.downcase)
           return PREDEFINED_VALUES[value.downcase]
 
-        elsif value.match(/^:\w+$/)
+        elsif OPTIONS[:enable_symbol_parsing] && value.match(SYMBOL_MATCHER)
           return value[1..-1].to_sym
 
-        elsif value.match(/^\d+$/)
+        elsif value.match(INTEGER_MATCHER)
           return value.to_i
 
-        elsif value.match(/^\d+(?:\.\d*)?$/) || value.match(/^\.\d+$/)
+        elsif value.match(FLOAT_MATCHER)
           return value.to_f
         end
       end

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.3"
+  VERSION = "0.4"
 end

data/run_specs_all_ruby_versions.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"
+
+rvm use 1.8.7@safe_yaml
+rake spec
+
+rvm use 1.9.2@safe_yaml
+rake spec
+
+rvm use 1.9.3@safe_yaml
+rake spec

data/safe_yaml.gemspec

@@ -7,7 +7,7 @@ Gem::Specification.new do |gem|
   gem.authors       = "Dan Tao"
   gem.email         = "daniel.tao@gmail.com"
   gem.description   = %q{Parse YAML safely, without that pesky arbitrary code execution vulnerability.}
-  gem.summary       = %q{SameYAML adds a ::safe_load method to Ruby's built-in YAML module to parse YAML data for only basic types (strings, symbols, numbers, arrays, and hashes).}
+  gem.summary       = %q{SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.}
   gem.homepage      = "http://github.com/dtao/safe_yaml"
 
   gem.files         = `git ls-files`.split($\)

data/spec/exploit.1.9.2.yaml

@@ -0,0 +1,2 @@
+--- !ruby/object:ExploitableBackDoor
+foo: bar

data/spec/exploit.1.9.3.yaml

@@ -0,0 +1,2 @@
+--- !ruby/hash:ExploitableBackDoor
+foo: bar

data/spec/safe_yaml_spec.rb

@@ -4,40 +4,44 @@ require "safe_yaml"
 require "exploitable_back_door"
 
 describe YAML do
-  describe "load" do
+  before :each do
+    YAML.enable_symbol_parsing = false
+  end
+
+  describe "orig_load" do
     if RUBY_VERSION >= "1.9.3"
-      it "allows exploits through objects defined in YAML w/ !ruby/hash through custom :[]= methods" do
-        backdoor = YAML.load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
+      it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do
+        backdoor = YAML.orig_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
         backdoor.should be_exploited_through_setter
       end
     end
 
     if RUBY_VERSION >= "1.9.2"
-      it "allows exploits through objects defined in YAML w/ !ruby/object through" do
-        backdoor = YAML.load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
+      it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
+        backdoor = YAML.orig_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
         backdoor.should be_exploited_through_init_with
       end
     end
 
     it "allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object" do
-      backdoor = YAML.load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
+      backdoor = YAML.orig_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
       backdoor.should be_exploited_through_ivars
     end
   end
 
-  describe "safe_load" do
+  describe "load" do
     it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do
-      object = YAML.safe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
+      object = YAML.load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
       object.should_not be_a(ExploitableBackDoor)
     end
 
     it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do
-      object = YAML.safe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
+      object = YAML.load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
       object.should_not be_a(ExploitableBackDoor)
     end
 
     it "loads a plain ol' YAML document just fine" do
-      result = YAML.safe_load <<-YAML.unindent
+      result = YAML.load <<-YAML.unindent
         foo:
           number: 1
           string: Hello, there!
@@ -51,14 +55,14 @@ describe YAML do
         "foo" => {
           "number" => 1,
           "string" => "Hello, there!",
-          "symbol" => :blah,
+          "symbol" => ":blah",
           "sequence" => ["hi", "bye"]
         }
       }
     end
 
     it "works for YAML documents with anchors and aliases" do
-      result = YAML.safe_load <<-YAML
+      result = YAML.load <<-YAML
         - &id001 {}
         - *id001
         - *id001
@@ -68,15 +72,15 @@ describe YAML do
     end
 
     it "works for YAML documents with sections" do
-      result = YAML.safe_load <<-YAML
-        mysql: &foo
+      result = YAML.load <<-YAML
+        mysql: &mysql
           adapter: mysql
           pool: 30
         login: &login
-          username: dan
-          password: gobbledygook
-        local: &local
-          <<: *foo
+          username: user
+          password: password123
+        development: &development
+          <<: *mysql
           <<: *login
           host: localhost
       YAML
@@ -87,17 +91,50 @@ describe YAML do
           "pool"    => 30
         },
         "login" => {
-          "username" => "dan",
-          "password" => "gobbledygook"
+          "username" => "user",
+          "password" => "password123"
         },
-        "local" => {
+        "development" => {
           "adapter"  => "mysql",
           "pool"     => 30,
-          "username" => "dan",
-          "password" => "gobbledygook",
+          "username" => "user",
+          "password" => "password123",
           "host"     => "localhost"
         }
       }
     end
   end
+
+  describe "orig_load_file" do
+    if RUBY_VERSION >= "1.9.3"
+      it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do
+        backdoor = YAML.orig_load_file "spec/exploit.1.9.3.yaml"
+        backdoor.should be_exploited_through_setter
+      end
+    end
+
+    if RUBY_VERSION >= "1.9.2"
+      it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
+        backdoor = YAML.orig_load_file "spec/exploit.1.9.2.yaml"
+        backdoor.should be_exploited_through_init_with
+      end
+    end
+
+    it "allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object" do
+      backdoor = YAML.orig_load_file "spec/exploit.1.9.2.yaml"
+      backdoor.should be_exploited_through_ivars
+    end
+  end
+
+  describe "load_file" do
+    it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do
+      object = YAML.load_file "spec/exploit.1.9.3.yaml"
+      object.should_not be_a(ExploitableBackDoor)
+    end
+
+    it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do
+      object = YAML.load_file "spec/exploit.1.9.2.yaml"
+      object.should_not be_a(ExploitableBackDoor)
+    end
+  end
 end

data/spec/shared_specs.rb

@@ -5,120 +5,158 @@ require "safe_yaml/transform"
 module SharedSpecs
   def self.included(base)
     base.instance_eval do
-      it "translates most values to strings" do
-        parse "key: value"
-        result.should == { "key" => "value" }
+      context "by default" do
+        it "translates maps to hashes" do
+          parse <<-YAML
+            potayto: potahto
+            tomayto: tomahto
+          YAML
+
+          result.should == {
+            "potayto" => "potahto",
+            "tomayto" => "tomahto"
+          }
+        end
+
+        it "translates most values to strings" do
+          parse "string: value"
+          result.should == { "string" => "value" }
+        end
+
+        it "does not deserialize symbols" do
+          parse ":symbol: value"
+          result.should == { ":symbol" => "value" }
+        end
+
+        it "translates valid integral numbers to integers" do
+          parse "integer: 1"
+          result.should == { "integer" => 1 }
+        end
+
+        it "translates valid decimal numbers to floats" do
+          parse "float: 3.14"
+          result.should == { "float" => 3.14 }
+        end
+
+        it "translates sequences to arrays" do
+          parse <<-YAML
+            - foo
+            - bar
+            - baz
+          YAML
+
+          result.should == ["foo", "bar", "baz"]
+        end
+
+        it "translates valid true/false values to booleans" do
+          parse <<-YAML
+            - yes
+            - true
+            - no
+            - false
+          YAML
+
+          result.should == [true, true, false, false]
+        end
+
+        it "translates valid nulls to nil" do
+          parse <<-YAML
+            - 
+            - ~
+            - null
+          YAML
+
+          result.should == [nil] * 3
+        end
+
+        it "applies the same transformations to keys as to values" do
+          parse <<-YAML
+            foo: string
+            :bar: symbol
+            1: integer
+            3.14: float
+          YAML
+
+          result.should == {
+            "foo"  => "string",
+            ":bar" => "symbol",
+            1      => "integer",
+            3.14   => "float"
+          }
+        end
+
+        it "applies the same transformations to elements in sequences as to all values" do
+          parse <<-YAML
+            - foo
+            - :bar
+            - 1
+            - 3.14
+          YAML
+
+          result.should == ["foo", ":bar", 1, 3.14]
+        end
+
+        it "deals just fine with nested maps" do
+          parse <<-YAML
+            foo:
+              bar:
+                marco: polo
+          YAML
+
+          result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
+        end
+
+        it "deals just fine with nested sequences" do
+          parse <<-YAML
+            - foo
+            -
+              - bar1
+              - bar2
+              -
+                - baz1
+                - baz2
+          YAML
+
+          result.should == ["foo", ["bar1", "bar2", ["baz1", "baz2"]]]
+        end
       end
 
-      it "translates values starting with ':' to symbols" do
-        parse ":key: value"
-        result.should == { :key => "value" }
-      end
-
-      it "translates valid integral numbers to integers" do
-        parse "integer: 1"
-        result.should == { "integer" => 1 }
-      end
-
-      it "translates valid decimal numbers to floats" do
-        parse "float: 3.14"
-        result.should == { "float" => 3.14 }
-      end
-
-      it "translates valid true/false values to booleans" do
-        parse <<-YAML
-          - yes
-          - true
-          - no
-          - false
-        YAML
-
-        result.should == [true, true, false, false]
-      end
-
-      it "translates valid nulls to nil" do
-        parse <<-YAML
-          - 
-          - ~
-          - null
-        YAML
-
-        result.should == [nil] * 3
-      end
-
-      it "applies the same transformations to values as to keys" do
-        parse <<-YAML
-          string: value
-          symbol: :value
-          integer: 1
-          float: 3.14
-        YAML
-
-        result.should == {
-          "string" => "value",
-          "symbol" => :value,
-          "integer" => 1,
-          "float" => 3.14
-        }
-      end
-
-      it "translates sequences to arrays" do
-        parse <<-YAML
-          - foo
-          - bar
-          - baz
-        YAML
-
-        result.should == ["foo", "bar", "baz"]
-      end
-
-      it "applies the same transformations to elements in sequences as to all values" do
-        parse <<-YAML
-          - string
-          - :symbol
-          - 1
-          - 3.14
-        YAML
-
-        result.should == ["string", :symbol, 1, 3.14]
-      end
-
-      it "translates maps to hashes" do
-        parse <<-YAML
-          foo: blah
-          bar: glah
-          baz: flah
-        YAML
-
-        result.should == {
-          "foo" => "blah",
-          "bar" => "glah",
-          "baz" => "flah"
-        }
-      end
-
-      it "applies the same transformations to values in hashes as to all values" do
-        parse <<-YAML
-          foo: :symbol
-          bar: 1
-          baz: 3.14
-        YAML
-
-        result.should == {
-          "foo" => :symbol,
-          "bar" => 1,
-          "baz" => 3.14
-        }
-      end
-
-      it "deals just fine with nested maps" do
-        parse <<-YAML
-          foo:
-            bar:
-              marco: polo
-        YAML
-
-        result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
+      context "with symbol parsing enabled" do
+        before :each do
+          YAML.enable_symbol_parsing = true
+        end
+
+        it "translates values starting with ':' to symbols" do
+          parse "symbol: :value"
+          result.should == { "symbol" => :value }
+        end
+
+        it "applies the same transformations to keys as to values" do
+          parse <<-YAML
+            foo: string
+            :bar: symbol
+            1: integer
+            3.14: float
+          YAML
+
+          result.should == {
+            "foo" => "string",
+            :bar  => "symbol",
+            1     => "integer",
+            3.14  => "float"
+          }
+        end
+
+        it "applies the same transformations to elements in sequences as to all values" do
+          parse <<-YAML
+            - foo
+            - :bar
+            - 1
+            - 3.14
+          YAML
+
+          result.should == ["foo", :bar, 1, 3.14]
+        end
       end
     end
   end

data/spec/spec_helper.rb

@@ -5,6 +5,5 @@ $LOAD_PATH << File.join(ROOT, "lib")
 $LOAD_PATH << File.join(HERE, "support")
 
 require "heredoc_unindent"
-require "pry"
 
 require File.join(HERE, "shared_specs")

data/spec/syck_resolver_spec.rb

@@ -9,7 +9,7 @@ if RUBY_VERSION < "1.9.2"
 
     def parse(yaml)
       tree = YAML.parse(yaml.unindent)
-      @result = resolver.resolve_tree(tree)
+      @result = resolver.resolve_node(tree)
     end
 
     include SharedSpecs

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: '0.3'
+  version: '0.4'
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-18 00:00:00.000000000 Z
+date: 2013-01-23 00:00:00.000000000 Z
 dependencies: []
 description: Parse YAML safely, without that pesky arbitrary code execution vulnerability.
 email: daniel.tao@gmail.com
@@ -27,7 +27,10 @@ files:
 - lib/safe_yaml/syck_resolver.rb
 - lib/safe_yaml/transform.rb
 - lib/safe_yaml/version.rb
+- run_specs_all_ruby_versions.sh
 - safe_yaml.gemspec
+- spec/exploit.1.9.2.yaml
+- spec/exploit.1.9.3.yaml
 - spec/psych_handler_spec.rb
 - spec/safe_yaml_spec.rb
 - spec/shared_specs.rb
@@ -57,9 +60,11 @@ rubyforge_project:
 rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
-summary: SameYAML adds a ::safe_load method to Ruby's built-in YAML module to parse
-  YAML data for only basic types (strings, symbols, numbers, arrays, and hashes).
+summary: SameYAML provides an alternative implementation of YAML.load suitable for
+  accepting user input in Ruby applications.
 test_files:
+- spec/exploit.1.9.2.yaml
+- spec/exploit.1.9.3.yaml
 - spec/psych_handler_spec.rb
 - spec/safe_yaml_spec.rb
 - spec/shared_specs.rb