RubyGems - safe_yaml - Versions diffs - 0.5 → 0.5.1 - Mend

safe_yaml 0.5 → 0.5.1

Files changed (16) hide show

data/Gemfile.lock +1 -1
data/README.md +2 -1
data/lib/safe_yaml.rb +7 -0
data/lib/safe_yaml/transform.rb +12 -34
data/lib/safe_yaml/transform/to_boolean.rb +19 -0
data/lib/safe_yaml/transform/to_date.rb +13 -0
data/lib/safe_yaml/transform/to_float.rb +12 -0
data/lib/safe_yaml/transform/to_integer.rb +12 -0
data/lib/safe_yaml/transform/to_nil.rb +16 -0
data/lib/safe_yaml/transform/to_symbol.rb +12 -0
data/lib/safe_yaml/transform/to_time.rb +15 -0
data/lib/safe_yaml/version.rb +1 -1
data/spec/safe_yaml_spec.rb +0 -1
data/spec/shared_specs.rb +39 -30
data/spec/spec_helper.rb +1 -0
metadata +9 -2

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    safe_yaml (0.4)
+    safe_yaml (0.5.1)
 GEM
   remote: http://rubygems.org/

data/README.md CHANGED Viewed

@@ -55,7 +55,7 @@ Observe:
     I'm in yr system!
     => #<ExploitableClassBuilder:0x007fdbbe2e25d8 @class=#<Class:0x007fdbbe2e2510>>
-With `YAML.safe_load`, that attacker would be thwarted:
+With SafeYAML, that attacker would be thwarted:
     > require "safe_yaml"
     => true
@@ -72,6 +72,7 @@ The way that SafeYAML works is by restricting the kinds of objects that can be d
 - Strings
 - Numbers
 - Dates
+- Times
 - Booleans
 - Nils

data/lib/safe_yaml.rb CHANGED Viewed

@@ -1,4 +1,11 @@
 require "yaml"
+require "safe_yaml/transform/to_boolean"
+require "safe_yaml/transform/to_date"
+require "safe_yaml/transform/to_float"
+require "safe_yaml/transform/to_integer"
+require "safe_yaml/transform/to_nil"
+require "safe_yaml/transform/to_symbol"
+require "safe_yaml/transform/to_time"
 require "safe_yaml/transform"
 require "safe_yaml/version"

data/lib/safe_yaml/transform.rb CHANGED Viewed

@@ -4,43 +4,21 @@ module SafeYAML
       :enable_symbol_parsing => false
     }
-    PREDEFINED_VALUES = {
-      ""      => nil,
-      "~"     => nil,
-      "null"  => nil,
-      "yes"   => true,
-      "on"    => true,
-      "true"  => true,
-      "no"    => false,
-      "off"   => false,
-      "false" => false
-    }.freeze
-    SYMBOL_MATCHER = /^:\w+$/.freeze
-    INTEGER_MATCHER = /^\d+$/.freeze
-    FLOAT_MATCHER = /^(?:\d+(?:\.\d*)?$)|(?:^\.\d+$)/.freeze
-    DATE_MATCHER = /^\d{4}\-\d{2}\-\d{2}$/.freeze
+    TRANSFORMERS = [
+      Transform::ToSymbol.new,
+      Transform::ToInteger.new,
+      Transform::ToFloat.new,
+      Transform::ToNil.new,
+      Transform::ToBoolean.new,
+      Transform::ToDate.new,
+      Transform::ToTime.new
+    ]
     def self.to_proper_type(value)
       if value.is_a?(String)
-        if PREDEFINED_VALUES.include?(value.downcase)
-          return PREDEFINED_VALUES[value.downcase]
-        elsif OPTIONS[:enable_symbol_parsing] && value.match(SYMBOL_MATCHER)
-          return value[1..-1].to_sym
-        elsif value.match(INTEGER_MATCHER)
-          return value.to_i
-        elsif value.match(FLOAT_MATCHER)
-          return value.to_f
-        elsif value.match(DATE_MATCHER)
-          date = Date.parse(value) rescue nil
-          return date if date
+        TRANSFORMERS.each do |transformer|
+          success, transformed_value = transformer.transform?(value)
+          return transformed_value if success
         end
       end

data/lib/safe_yaml/transform/to_boolean.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module SafeYAML
+  class Transform
+    class ToBoolean
+      PREDEFINED_VALUES = {
+        "yes"   => true,
+        "on"    => true,
+        "true"  => true,
+        "no"    => false,
+        "off"   => false,
+        "false" => false
+      }.freeze
+      def transform?(value)
+        key = value.downcase
+        return PREDEFINED_VALUES.include?(key), PREDEFINED_VALUES[key]
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_date.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module SafeYAML
+  class Transform
+    class ToDate
+      MATCHER = /^\d{4}\-\d{2}\-\d{2}$/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        date = Date.parse(value) rescue nil
+        return !!date, date
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_float.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module SafeYAML
+  class Transform
+    class ToFloat
+      MATCHER = /^(?:\d+(?:\.\d*)?$)|(?:^\.\d+$)/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        return true, value.to_f
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_integer.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module SafeYAML
+  class Transform
+    class ToInteger
+      MATCHER = /^\d+$/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        return true, value.to_i
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_nil.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module SafeYAML
+  class Transform
+    class ToNil
+      PREDEFINED_VALUES = {
+        ""      => nil,
+        "~"     => nil,
+        "null"  => nil,
+      }.freeze
+      def transform?(value)
+        key = value.downcase
+        return PREDEFINED_VALUES.include?(key), PREDEFINED_VALUES[key]
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_symbol.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module SafeYAML
+  class Transform
+    class ToSymbol
+      MATCHER = /^:\w+$/.freeze
+      def transform?(value)
+        return false if !Transform::OPTIONS[:enable_symbol_parsing] || !MATCHER.match(value)
+        return true, value[1..-1].to_sym
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_time.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module SafeYAML
+  class Transform
+    class ToTime
+      # There isn't a missing '$' there; YAML itself seems to ignore everything at the end of a
+      # string that otherwise resembles a time.
+      MATCHER = /^\d{4}\-\d{2}\-\d{2} \d{2}:\d{2}:\d{2}(?:\.\d{1,5})?/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        datetime = DateTime.parse(value) rescue nil
+        return !!datetime, datetime.to_time
+      end
+    end
+  end
+end

data/lib/safe_yaml/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.5"
+  VERSION = "0.5.1"
 end

data/spec/safe_yaml_spec.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 require File.join(File.dirname(__FILE__), "spec_helper")
-require "safe_yaml"
 require "exploitable_back_door"
 describe YAML do

data/spec/shared_specs.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 require File.join(File.dirname(__FILE__), "spec_helper")
-require "safe_yaml/transform"
 module SharedSpecs
   def self.included(base)
     base.instance_eval do
@@ -53,6 +51,11 @@ module SharedSpecs
           result.should == { "date" => Date.parse("2013-01-24") }
         end
+        it "translates valid time values" do
+          parse "time: 2013-01-29 05:58:00 -0800"
+          result.should == { "time" => Time.new(2013, 1, 29, 5, 58, 0, "-08:00") }
+        end
         it "translates valid true/false values to booleans" do
           parse <<-YAML
             - yes
@@ -74,6 +77,30 @@ module SharedSpecs
           result.should == [nil] * 3
         end
+        it "deals just fine with nested maps" do
+          parse <<-YAML
+            foo:
+              bar:
+                marco: polo
+          YAML
+          result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
+        end
+        it "deals just fine with nested sequences" do
+          parse <<-YAML
+            - foo
+            -
+              - bar1
+              - bar2
+              -
+                - baz1
+                - baz2
+          YAML
+          result.should == ["foo", ["bar1", "bar2", ["baz1", "baz2"]]]
+        end
         it "applies the same transformations to keys as to values" do
           parse <<-YAML
             foo: string
@@ -81,6 +108,7 @@ module SharedSpecs
             1: integer
             3.14: float
             2013-01-24: date
+            2013-01-29 05:58:00 -0800: time
           YAML
           result.should == {
@@ -88,7 +116,8 @@ module SharedSpecs
             ":bar" => "symbol",
             1      => "integer",
             3.14   => "float",
-            Date.parse("2013-01-24") => "date"
+            Date.parse("2013-01-24") => "date",
+            Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
           }
         end
@@ -99,33 +128,10 @@ module SharedSpecs
             - 1
             - 3.14
             - 2013-01-24
+            - 2013-01-29 05:58:00 -0800
           YAML
-          result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")]
-        end
-        it "deals just fine with nested maps" do
-          parse <<-YAML
-            foo:
-              bar:
-                marco: polo
-          YAML
-          result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
-        end
-        it "deals just fine with nested sequences" do
-          parse <<-YAML
-            - foo
-            -
-              - bar1
-              - bar2
-              -
-                - baz1
-                - baz2
-          YAML
-          result.should == ["foo", ["bar1", "bar2", ["baz1", "baz2"]]]
+          result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24"), Time.new(2013, 1, 29, 5, 58, 0, "-08:00")]
         end
       end
@@ -146,6 +152,7 @@ module SharedSpecs
             1: integer
             3.14: float
             2013-01-24: date
+            2013-01-29 05:58:00 -0800: time
           YAML
           result.should == {
@@ -153,7 +160,8 @@ module SharedSpecs
             :bar  => "symbol",
             1     => "integer",
             3.14  => "float",
-            Date.parse("2013-01-24") => "date"
+            Date.parse("2013-01-24") => "date",
+            Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
           }
         end
@@ -164,9 +172,10 @@ module SharedSpecs
             - 1
             - 3.14
             - 2013-01-24
+            - 2013-01-29 05:58:00 -0800
           YAML
-          result.should == ["foo", :bar, 1, 3.14, Date.parse("2013-01-24")]
+          result.should == ["foo", :bar, 1, 3.14, Date.parse("2013-01-24"), Time.new(2013, 1, 29, 5, 58, 0, "-08:00")]
         end
       end
     end

data/spec/spec_helper.rb CHANGED Viewed

@@ -4,6 +4,7 @@ ROOT = File.join(HERE, "..")
 $LOAD_PATH << File.join(ROOT, "lib")
 $LOAD_PATH << File.join(HERE, "support")
+require "safe_yaml"
 require "heredoc_unindent"
 require File.join(HERE, "shared_specs")

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: '0.5'
+  version: 0.5.1
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-01-24 00:00:00.000000000 Z
+date: 2013-01-29 00:00:00.000000000 Z
 dependencies: []
 description: Parse YAML safely, without that pesky arbitrary code execution vulnerability
 email: daniel.tao@gmail.com
@@ -26,6 +26,13 @@ files:
 - lib/safe_yaml/psych_handler.rb
 - lib/safe_yaml/syck_resolver.rb
 - lib/safe_yaml/transform.rb
+- lib/safe_yaml/transform/to_boolean.rb
+- lib/safe_yaml/transform/to_date.rb
+- lib/safe_yaml/transform/to_float.rb
+- lib/safe_yaml/transform/to_integer.rb
+- lib/safe_yaml/transform/to_nil.rb
+- lib/safe_yaml/transform/to_symbol.rb
+- lib/safe_yaml/transform/to_time.rb
 - lib/safe_yaml/version.rb
 - run_specs_all_ruby_versions.sh
 - safe_yaml.gemspec