RubyGems - safe_yaml - Versions diffs - 0.5 → 0.5.1 - Mend

safe_yaml 0.5 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

data/Gemfile.lock +1 -1
data/README.md +2 -1
data/lib/safe_yaml.rb +7 -0
data/lib/safe_yaml/transform.rb +12 -34
data/lib/safe_yaml/transform/to_boolean.rb +19 -0
data/lib/safe_yaml/transform/to_date.rb +13 -0
data/lib/safe_yaml/transform/to_float.rb +12 -0
data/lib/safe_yaml/transform/to_integer.rb +12 -0
data/lib/safe_yaml/transform/to_nil.rb +16 -0
data/lib/safe_yaml/transform/to_symbol.rb +12 -0
data/lib/safe_yaml/transform/to_time.rb +15 -0
data/lib/safe_yaml/version.rb +1 -1
data/spec/safe_yaml_spec.rb +0 -1
data/spec/shared_specs.rb +39 -30
data/spec/spec_helper.rb +1 -0
metadata +9 -2

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    safe_yaml (0.4)
+    safe_yaml (0.5.1)
 GEM
   remote: http://rubygems.org/

data/README.md CHANGED Viewed

@@ -55,7 +55,7 @@ Observe:
     I'm in yr system!
     => #<ExploitableClassBuilder:0x007fdbbe2e25d8 @class=#<Class:0x007fdbbe2e2510>>
-With `YAML.safe_load`, that attacker would be thwarted:
+With SafeYAML, that attacker would be thwarted:
     > require "safe_yaml"
     => true
@@ -72,6 +72,7 @@ The way that SafeYAML works is by restricting the kinds of objects that can be d
 - Strings
 - Numbers
 - Dates
+- Times
 - Booleans
 - Nils

data/lib/safe_yaml.rb CHANGED Viewed

@@ -1,4 +1,11 @@
 require "yaml"
+require "safe_yaml/transform/to_boolean"
+require "safe_yaml/transform/to_date"
+require "safe_yaml/transform/to_float"
+require "safe_yaml/transform/to_integer"
+require "safe_yaml/transform/to_nil"
+require "safe_yaml/transform/to_symbol"
+require "safe_yaml/transform/to_time"
 require "safe_yaml/transform"
 require "safe_yaml/version"

data/lib/safe_yaml/transform.rb CHANGED Viewed

@@ -4,43 +4,21 @@ module SafeYAML
       :enable_symbol_parsing => false
     }
-    PREDEFINED_VALUES = {
-      ""      => nil,
-      "~"     => nil,
-      "null"  => nil,
-      "yes"   => true,
-      "on"    => true,
-      "true"  => true,
-      "no"    => false,
-      "off"   => false,
-      "false" => false
-    }.freeze
-    SYMBOL_MATCHER = /^:\w+$/.freeze
-    INTEGER_MATCHER = /^\d+$/.freeze
-    FLOAT_MATCHER = /^(?:\d+(?:\.\d*)?$)|(?:^\.\d+$)/.freeze
-    DATE_MATCHER = /^\d{4}\-\d{2}\-\d{2}$/.freeze
+    TRANSFORMERS = [
+      Transform::ToSymbol.new,
+      Transform::ToInteger.new,
+      Transform::ToFloat.new,
+      Transform::ToNil.new,
+      Transform::ToBoolean.new,
+      Transform::ToDate.new,
+      Transform::ToTime.new
+    ]
     def self.to_proper_type(value)
       if value.is_a?(String)
-        if PREDEFINED_VALUES.include?(value.downcase)
-          return PREDEFINED_VALUES[value.downcase]
-        elsif OPTIONS[:enable_symbol_parsing] && value.match(SYMBOL_MATCHER)
-          return value[1..-1].to_sym
-        elsif value.match(INTEGER_MATCHER)
-          return value.to_i
-        elsif value.match(FLOAT_MATCHER)
-          return value.to_f
-        elsif value.match(DATE_MATCHER)
-          date = Date.parse(value) rescue nil
-          return date if date
+        TRANSFORMERS.each do |transformer|
+          success, transformed_value = transformer.transform?(value)
+          return transformed_value if success
         end
       end

data/lib/safe_yaml/transform/to_boolean.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module SafeYAML
+  class Transform
+    class ToBoolean
+      PREDEFINED_VALUES = {
+        "yes"   => true,
+        "on"    => true,
+        "true"  => true,
+        "no"    => false,
+        "off"   => false,
+        "false" => false
+      }.freeze
+      def transform?(value)
+        key = value.downcase
+        return PREDEFINED_VALUES.include?(key), PREDEFINED_VALUES[key]
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_date.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module SafeYAML
+  class Transform
+    class ToDate
+      MATCHER = /^\d{4}\-\d{2}\-\d{2}$/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        date = Date.parse(value) rescue nil
+        return !!date, date
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_float.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module SafeYAML
+  class Transform
+    class ToFloat
+      MATCHER = /^(?:\d+(?:\.\d*)?$)|(?:^\.\d+$)/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        return true, value.to_f
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_integer.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module SafeYAML
+  class Transform
+    class ToInteger
+      MATCHER = /^\d+$/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        return true, value.to_i
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_nil.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module SafeYAML
+  class Transform
+    class ToNil
+      PREDEFINED_VALUES = {
+        ""      => nil,
+        "~"     => nil,
+        "null"  => nil,
+      }.freeze
+      def transform?(value)
+        key = value.downcase
+        return PREDEFINED_VALUES.include?(key), PREDEFINED_VALUES[key]
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_symbol.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module SafeYAML
+  class Transform
+    class ToSymbol
+      MATCHER = /^:\w+$/.freeze
+      def transform?(value)
+        return false if !Transform::OPTIONS[:enable_symbol_parsing] || !MATCHER.match(value)
+        return true, value[1..-1].to_sym
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform/to_time.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module SafeYAML
+  class Transform
+    class ToTime
+      # There isn't a missing '$' there; YAML itself seems to ignore everything at the end of a
+      # string that otherwise resembles a time.
+      MATCHER = /^\d{4}\-\d{2}\-\d{2} \d{2}:\d{2}:\d{2}(?:\.\d{1,5})?/.freeze
+      def transform?(value)
+        return false unless MATCHER.match(value)
+        datetime = DateTime.parse(value) rescue nil
+        return !!datetime, datetime.to_time
+      end
+    end
+  end
+end

data/lib/safe_yaml/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.5"
+  VERSION = "0.5.1"
 end

data/spec/safe_yaml_spec.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 require File.join(File.dirname(__FILE__), "spec_helper")
-require "safe_yaml"
 require "exploitable_back_door"
 describe YAML do

data/spec/shared_specs.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 require File.join(File.dirname(__FILE__), "spec_helper")
-require "safe_yaml/transform"
 module SharedSpecs
   def self.included(base)
     base.instance_eval do
@@ -53,6 +51,11 @@ module SharedSpecs
           result.should == { "date" => Date.parse("2013-01-24") }
         end
+        it "translates valid time values" do
+          parse "time: 2013-01-29 05:58:00 -0800"
+          result.should == { "time" => Time.new(2013, 1, 29, 5, 58, 0, "-08:00") }
+        end
         it "translates valid true/false values to booleans" do
           parse <<-YAML
             - yes
@@ -74,6 +77,30 @@ module SharedSpecs
           result.should == [nil] * 3
         end
+        it "deals just fine with nested maps" do
+          parse <<-YAML
+            foo:
+              bar:
+                marco: polo
+          YAML
+          result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
+        end
+        it "deals just fine with nested sequences" do
+          parse <<-YAML
+            - foo
+            -
+              - bar1
+              - bar2
+              -
+                - baz1
+                - baz2
+          YAML
+          result.should == ["foo", ["bar1", "bar2", ["baz1", "baz2"]]]
+        end
         it "applies the same transformations to keys as to values" do
           parse <<-YAML
             foo: string
@@ -81,6 +108,7 @@ module SharedSpecs
             1: integer
             3.14: float
             2013-01-24: date
+            2013-01-29 05:58:00 -0800: time
           YAML
           result.should == {
@@ -88,7 +116,8 @@ module SharedSpecs
             ":bar" => "symbol",
             1      => "integer",
             3.14   => "float",
-            Date.parse("2013-01-24") => "date"
+            Date.parse("2013-01-24") => "date",
+            Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
           }
         end
@@ -99,33 +128,10 @@ module SharedSpecs
             - 1
             - 3.14
             - 2013-01-24
+            - 2013-01-29 05:58:00 -0800
           YAML
-          result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")]
-        end
-        it "deals just fine with nested maps" do
-          parse <<-YAML
-            foo:
-              bar:
-                marco: polo
-          YAML
-          result.should == { "foo" => { "bar" => { "marco" => "polo" } } }
-        end
-        it "deals just fine with nested sequences" do
-          parse <<-YAML
-            - foo
-            -
-              - bar1
-              - bar2
-              -
-                - baz1
-                - baz2
-          YAML
-          result.should == ["foo", ["bar1", "bar2", ["baz1", "baz2"]]]
+          result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24"), Time.new(2013, 1, 29, 5, 58, 0, "-08:00")]
         end
       end
@@ -146,6 +152,7 @@ module SharedSpecs
             1: integer
             3.14: float
             2013-01-24: date
+            2013-01-29 05:58:00 -0800: time
           YAML
           result.should == {
@@ -153,7 +160,8 @@ module SharedSpecs
             :bar  => "symbol",
             1     => "integer",
             3.14  => "float",
-            Date.parse("2013-01-24") => "date"
+            Date.parse("2013-01-24") => "date",
+            Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
           }
         end
@@ -164,9 +172,10 @@ module SharedSpecs
             - 1
             - 3.14
             - 2013-01-24
+            - 2013-01-29 05:58:00 -0800
           YAML
-          result.should == ["foo", :bar, 1, 3.14, Date.parse("2013-01-24")]
+          result.should == ["foo", :bar, 1, 3.14, Date.parse("2013-01-24"), Time.new(2013, 1, 29, 5, 58, 0, "-08:00")]
         end
       end
     end

data/spec/spec_helper.rb CHANGED Viewed

@@ -4,6 +4,7 @@ ROOT = File.join(HERE, "..")
 $LOAD_PATH << File.join(ROOT, "lib")
 $LOAD_PATH << File.join(HERE, "support")
+require "safe_yaml"
 require "heredoc_unindent"
 require File.join(HERE, "shared_specs")

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: '0.5'
+  version: 0.5.1
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-01-24 00:00:00.000000000 Z
+date: 2013-01-29 00:00:00.000000000 Z
 dependencies: []
 description: Parse YAML safely, without that pesky arbitrary code execution vulnerability
 email: daniel.tao@gmail.com
@@ -26,6 +26,13 @@ files:
 - lib/safe_yaml/psych_handler.rb
 - lib/safe_yaml/syck_resolver.rb
 - lib/safe_yaml/transform.rb
+- lib/safe_yaml/transform/to_boolean.rb
+- lib/safe_yaml/transform/to_date.rb
+- lib/safe_yaml/transform/to_float.rb
+- lib/safe_yaml/transform/to_integer.rb
+- lib/safe_yaml/transform/to_nil.rb
+- lib/safe_yaml/transform/to_symbol.rb
+- lib/safe_yaml/transform/to_time.rb
 - lib/safe_yaml/version.rb
 - run_specs_all_ruby_versions.sh
 - safe_yaml.gemspec