safe_yaml 0.4 → 0.5
Sign up to get free protection for your applications and to get access to all the features.
- data/Gemfile.lock +1 -1
- data/README.md +1 -0
- data/lib/safe_yaml/transform.rb +6 -0
- data/lib/safe_yaml/version.rb +1 -1
- data/lib/safe_yaml.rb +2 -2
- data/safe_yaml.gemspec +1 -1
- data/spec/shared_specs.rb +23 -12
- metadata +3 -3
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
data/lib/safe_yaml/transform.rb
CHANGED
@@ -22,6 +22,8 @@ module SafeYAML
|
|
22
22
|
|
23
23
|
FLOAT_MATCHER = /^(?:\d+(?:\.\d*)?$)|(?:^\.\d+$)/.freeze
|
24
24
|
|
25
|
+
DATE_MATCHER = /^\d{4}\-\d{2}\-\d{2}$/.freeze
|
26
|
+
|
25
27
|
def self.to_proper_type(value)
|
26
28
|
if value.is_a?(String)
|
27
29
|
if PREDEFINED_VALUES.include?(value.downcase)
|
@@ -35,6 +37,10 @@ module SafeYAML
|
|
35
37
|
|
36
38
|
elsif value.match(FLOAT_MATCHER)
|
37
39
|
return value.to_f
|
40
|
+
|
41
|
+
elsif value.match(DATE_MATCHER)
|
42
|
+
date = Date.parse(value) rescue nil
|
43
|
+
return date if date
|
38
44
|
end
|
39
45
|
end
|
40
46
|
|
data/lib/safe_yaml/version.rb
CHANGED
data/lib/safe_yaml.rb
CHANGED
@@ -12,7 +12,7 @@ module YAML
|
|
12
12
|
end
|
13
13
|
|
14
14
|
def self.orig_load_file(filename)
|
15
|
-
# https://github.com/tenderlove/psych/blob/
|
15
|
+
# https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298
|
16
16
|
File.open(filename, 'r:bom|utf-8') { |f| self.orig_load f, filename }
|
17
17
|
end
|
18
18
|
|
@@ -25,7 +25,7 @@ module YAML
|
|
25
25
|
end
|
26
26
|
|
27
27
|
def self.orig_load_file(filename)
|
28
|
-
# https://github.com/tenderlove/psych/blob/
|
28
|
+
# https://github.com/tenderlove/psych/blob/v1.2.0/lib/psych.rb#L228-230
|
29
29
|
File.open(filename, 'r:bom|utf-8') { |f| self.orig_load f }
|
30
30
|
end
|
31
31
|
|
data/safe_yaml.gemspec
CHANGED
@@ -6,7 +6,7 @@ Gem::Specification.new do |gem|
|
|
6
6
|
gem.version = SafeYAML::VERSION
|
7
7
|
gem.authors = "Dan Tao"
|
8
8
|
gem.email = "daniel.tao@gmail.com"
|
9
|
-
gem.description = %q{Parse YAML safely, without that pesky arbitrary code execution vulnerability
|
9
|
+
gem.description = %q{Parse YAML safely, without that pesky arbitrary code execution vulnerability}
|
10
10
|
gem.summary = %q{SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.}
|
11
11
|
gem.homepage = "http://github.com/dtao/safe_yaml"
|
12
12
|
|
data/spec/shared_specs.rb
CHANGED
@@ -18,6 +18,16 @@ module SharedSpecs
|
|
18
18
|
}
|
19
19
|
end
|
20
20
|
|
21
|
+
it "translates sequences to arrays" do
|
22
|
+
parse <<-YAML
|
23
|
+
- foo
|
24
|
+
- bar
|
25
|
+
- baz
|
26
|
+
YAML
|
27
|
+
|
28
|
+
result.should == ["foo", "bar", "baz"]
|
29
|
+
end
|
30
|
+
|
21
31
|
it "translates most values to strings" do
|
22
32
|
parse "string: value"
|
23
33
|
result.should == { "string" => "value" }
|
@@ -38,14 +48,9 @@ module SharedSpecs
|
|
38
48
|
result.should == { "float" => 3.14 }
|
39
49
|
end
|
40
50
|
|
41
|
-
it "translates
|
42
|
-
parse
|
43
|
-
|
44
|
-
- bar
|
45
|
-
- baz
|
46
|
-
YAML
|
47
|
-
|
48
|
-
result.should == ["foo", "bar", "baz"]
|
51
|
+
it "translates valid dates" do
|
52
|
+
parse "date: 2013-01-24"
|
53
|
+
result.should == { "date" => Date.parse("2013-01-24") }
|
49
54
|
end
|
50
55
|
|
51
56
|
it "translates valid true/false values to booleans" do
|
@@ -75,13 +80,15 @@ module SharedSpecs
|
|
75
80
|
:bar: symbol
|
76
81
|
1: integer
|
77
82
|
3.14: float
|
83
|
+
2013-01-24: date
|
78
84
|
YAML
|
79
85
|
|
80
86
|
result.should == {
|
81
87
|
"foo" => "string",
|
82
88
|
":bar" => "symbol",
|
83
89
|
1 => "integer",
|
84
|
-
3.14 => "float"
|
90
|
+
3.14 => "float",
|
91
|
+
Date.parse("2013-01-24") => "date"
|
85
92
|
}
|
86
93
|
end
|
87
94
|
|
@@ -91,9 +98,10 @@ module SharedSpecs
|
|
91
98
|
- :bar
|
92
99
|
- 1
|
93
100
|
- 3.14
|
101
|
+
- 2013-01-24
|
94
102
|
YAML
|
95
103
|
|
96
|
-
result.should == ["foo", ":bar", 1, 3.14]
|
104
|
+
result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")]
|
97
105
|
end
|
98
106
|
|
99
107
|
it "deals just fine with nested maps" do
|
@@ -137,13 +145,15 @@ module SharedSpecs
|
|
137
145
|
:bar: symbol
|
138
146
|
1: integer
|
139
147
|
3.14: float
|
148
|
+
2013-01-24: date
|
140
149
|
YAML
|
141
150
|
|
142
151
|
result.should == {
|
143
152
|
"foo" => "string",
|
144
153
|
:bar => "symbol",
|
145
154
|
1 => "integer",
|
146
|
-
3.14 => "float"
|
155
|
+
3.14 => "float",
|
156
|
+
Date.parse("2013-01-24") => "date"
|
147
157
|
}
|
148
158
|
end
|
149
159
|
|
@@ -153,9 +163,10 @@ module SharedSpecs
|
|
153
163
|
- :bar
|
154
164
|
- 1
|
155
165
|
- 3.14
|
166
|
+
- 2013-01-24
|
156
167
|
YAML
|
157
168
|
|
158
|
-
result.should == ["foo", :bar, 1, 3.14]
|
169
|
+
result.should == ["foo", :bar, 1, 3.14, Date.parse("2013-01-24")]
|
159
170
|
end
|
160
171
|
end
|
161
172
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: safe_yaml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: '0.
|
4
|
+
version: '0.5'
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,9 +9,9 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-01-
|
12
|
+
date: 2013-01-24 00:00:00.000000000 Z
|
13
13
|
dependencies: []
|
14
|
-
description: Parse YAML safely, without that pesky arbitrary code execution vulnerability
|
14
|
+
description: Parse YAML safely, without that pesky arbitrary code execution vulnerability
|
15
15
|
email: daniel.tao@gmail.com
|
16
16
|
executables: []
|
17
17
|
extensions: []
|