safe_yaml 0.5.1 → 0.5.2
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +1 -0
- data/lib/safe_yaml/transform/to_time.rb +4 -1
- data/lib/safe_yaml/version.rb +1 -1
- data/safe_yaml.gemspec +1 -1
- data/spec/safe_yaml_spec.rb +0 -4
- data/spec/shared_specs.rb +32 -38
- metadata +2 -3
- data/Gemfile.lock +0 -28
data/.gitignore
CHANGED
|
@@ -8,7 +8,10 @@ module SafeYAML
|
|
|
8
8
|
def transform?(value)
|
|
9
9
|
return false unless MATCHER.match(value)
|
|
10
10
|
datetime = DateTime.parse(value) rescue nil
|
|
11
|
-
|
|
11
|
+
if datetime.respond_to?(:to_time)
|
|
12
|
+
return true, datetime.to_time
|
|
13
|
+
end
|
|
14
|
+
false
|
|
12
15
|
end
|
|
13
16
|
end
|
|
14
17
|
end
|
data/lib/safe_yaml/version.rb
CHANGED
data/safe_yaml.gemspec
CHANGED
|
@@ -8,7 +8,7 @@ Gem::Specification.new do |gem|
|
|
|
8
8
|
gem.email = "daniel.tao@gmail.com"
|
|
9
9
|
gem.description = %q{Parse YAML safely, without that pesky arbitrary code execution vulnerability}
|
|
10
10
|
gem.summary = %q{SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.}
|
|
11
|
-
gem.homepage = "http://github.com/
|
|
11
|
+
gem.homepage = "http://dtao.github.com/safe_yaml/"
|
|
12
12
|
|
|
13
13
|
gem.files = `git ls-files`.split($\)
|
|
14
14
|
gem.test_files = gem.files.grep(%r{^spec/})
|
data/spec/safe_yaml_spec.rb
CHANGED
|
@@ -13,9 +13,7 @@ describe YAML do
|
|
|
13
13
|
backdoor = YAML.orig_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
|
|
14
14
|
backdoor.should be_exploited_through_setter
|
|
15
15
|
end
|
|
16
|
-
end
|
|
17
16
|
|
|
18
|
-
if RUBY_VERSION >= "1.9.2"
|
|
19
17
|
it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
|
|
20
18
|
backdoor = YAML.orig_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
|
|
21
19
|
backdoor.should be_exploited_through_init_with
|
|
@@ -110,9 +108,7 @@ describe YAML do
|
|
|
110
108
|
backdoor = YAML.orig_load_file "spec/exploit.1.9.3.yaml"
|
|
111
109
|
backdoor.should be_exploited_through_setter
|
|
112
110
|
end
|
|
113
|
-
end
|
|
114
111
|
|
|
115
|
-
if RUBY_VERSION >= "1.9.2"
|
|
116
112
|
it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
|
|
117
113
|
backdoor = YAML.orig_load_file "spec/exploit.1.9.2.yaml"
|
|
118
114
|
backdoor.should be_exploited_through_init_with
|
data/spec/shared_specs.rb
CHANGED
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
require File.join(File.dirname(__FILE__), "spec_helper")
|
|
2
|
-
|
|
3
1
|
module SharedSpecs
|
|
4
2
|
def self.included(base)
|
|
5
3
|
base.instance_eval do
|
|
@@ -51,11 +49,6 @@ module SharedSpecs
|
|
|
51
49
|
result.should == { "date" => Date.parse("2013-01-24") }
|
|
52
50
|
end
|
|
53
51
|
|
|
54
|
-
it "translates valid time values" do
|
|
55
|
-
parse "time: 2013-01-29 05:58:00 -0800"
|
|
56
|
-
result.should == { "time" => Time.new(2013, 1, 29, 5, 58, 0, "-08:00") }
|
|
57
|
-
end
|
|
58
|
-
|
|
59
52
|
it "translates valid true/false values to booleans" do
|
|
60
53
|
parse <<-YAML
|
|
61
54
|
- yes
|
|
@@ -108,7 +101,6 @@ module SharedSpecs
|
|
|
108
101
|
1: integer
|
|
109
102
|
3.14: float
|
|
110
103
|
2013-01-24: date
|
|
111
|
-
2013-01-29 05:58:00 -0800: time
|
|
112
104
|
YAML
|
|
113
105
|
|
|
114
106
|
result.should == {
|
|
@@ -117,7 +109,6 @@ module SharedSpecs
|
|
|
117
109
|
1 => "integer",
|
|
118
110
|
3.14 => "float",
|
|
119
111
|
Date.parse("2013-01-24") => "date",
|
|
120
|
-
Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
|
|
121
112
|
}
|
|
122
113
|
end
|
|
123
114
|
|
|
@@ -128,10 +119,34 @@ module SharedSpecs
|
|
|
128
119
|
- 1
|
|
129
120
|
- 3.14
|
|
130
121
|
- 2013-01-24
|
|
131
|
-
- 2013-01-29 05:58:00 -0800
|
|
132
122
|
YAML
|
|
133
123
|
|
|
134
|
-
result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")
|
|
124
|
+
result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")]
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
context "for Ruby version #{RUBY_VERSION}" do
|
|
129
|
+
if RUBY_VERSION >= "1.9.2"
|
|
130
|
+
it "translates valid time values" do
|
|
131
|
+
parse "time: 2013-01-29 05:58:00 -0800"
|
|
132
|
+
result.should == { "time" => Time.new(2013, 1, 29, 5, 58, 0, "-08:00") }
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
it "applies the same transformation to keys" do
|
|
136
|
+
parse "2013-01-29 05:58:00 -0800: time"
|
|
137
|
+
result.should == { Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time" }
|
|
138
|
+
end
|
|
139
|
+
|
|
140
|
+
it "applies the same transformation to elements in sequences" do
|
|
141
|
+
parse "- 2013-01-29 05:58:00 -0800"
|
|
142
|
+
result.should == [Time.new(2013, 1, 29, 5, 58, 0, "-08:00")]
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
else
|
|
146
|
+
it "does not deserialize times" do
|
|
147
|
+
parse "time: 2013-01-29 05:58:00 -0800"
|
|
148
|
+
result.should == { "time" => "2013-01-29 05:58:00 -0800" }
|
|
149
|
+
end
|
|
135
150
|
end
|
|
136
151
|
end
|
|
137
152
|
|
|
@@ -145,37 +160,16 @@ module SharedSpecs
|
|
|
145
160
|
result.should == { "symbol" => :value }
|
|
146
161
|
end
|
|
147
162
|
|
|
148
|
-
it "applies the same
|
|
149
|
-
parse
|
|
150
|
-
foo: string
|
|
151
|
-
:bar: symbol
|
|
152
|
-
1: integer
|
|
153
|
-
3.14: float
|
|
154
|
-
2013-01-24: date
|
|
155
|
-
2013-01-29 05:58:00 -0800: time
|
|
156
|
-
YAML
|
|
163
|
+
it "applies the same transformation to keys" do
|
|
164
|
+
parse ":bar: symbol"
|
|
157
165
|
|
|
158
|
-
result.should == {
|
|
159
|
-
"foo" => "string",
|
|
160
|
-
:bar => "symbol",
|
|
161
|
-
1 => "integer",
|
|
162
|
-
3.14 => "float",
|
|
163
|
-
Date.parse("2013-01-24") => "date",
|
|
164
|
-
Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time"
|
|
165
|
-
}
|
|
166
|
+
result.should == { :bar => "symbol" }
|
|
166
167
|
end
|
|
167
168
|
|
|
168
|
-
it "applies the same
|
|
169
|
-
parse
|
|
170
|
-
- foo
|
|
171
|
-
- :bar
|
|
172
|
-
- 1
|
|
173
|
-
- 3.14
|
|
174
|
-
- 2013-01-24
|
|
175
|
-
- 2013-01-29 05:58:00 -0800
|
|
176
|
-
YAML
|
|
169
|
+
it "applies the same transformation to elements in sequences" do
|
|
170
|
+
parse "- :bar"
|
|
177
171
|
|
|
178
|
-
result.should == [
|
|
172
|
+
result.should == [:bar]
|
|
179
173
|
end
|
|
180
174
|
end
|
|
181
175
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_yaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.2
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -19,7 +19,6 @@ extra_rdoc_files: []
|
|
|
19
19
|
files:
|
|
20
20
|
- .gitignore
|
|
21
21
|
- Gemfile
|
|
22
|
-
- Gemfile.lock
|
|
23
22
|
- README.md
|
|
24
23
|
- Rakefile
|
|
25
24
|
- lib/safe_yaml.rb
|
|
@@ -44,7 +43,7 @@ files:
|
|
|
44
43
|
- spec/spec_helper.rb
|
|
45
44
|
- spec/support/exploitable_back_door.rb
|
|
46
45
|
- spec/syck_resolver_spec.rb
|
|
47
|
-
homepage: http://github.com/
|
|
46
|
+
homepage: http://dtao.github.com/safe_yaml/
|
|
48
47
|
licenses: []
|
|
49
48
|
post_install_message:
|
|
50
49
|
rdoc_options: []
|
data/Gemfile.lock
DELETED
|
@@ -1,28 +0,0 @@
|
|
|
1
|
-
PATH
|
|
2
|
-
remote: .
|
|
3
|
-
specs:
|
|
4
|
-
safe_yaml (0.5.1)
|
|
5
|
-
|
|
6
|
-
GEM
|
|
7
|
-
remote: http://rubygems.org/
|
|
8
|
-
specs:
|
|
9
|
-
diff-lcs (1.1.3)
|
|
10
|
-
heredoc_unindent (1.1.2)
|
|
11
|
-
rake (10.0.3)
|
|
12
|
-
rspec (2.12.0)
|
|
13
|
-
rspec-core (~> 2.12.0)
|
|
14
|
-
rspec-expectations (~> 2.12.0)
|
|
15
|
-
rspec-mocks (~> 2.12.0)
|
|
16
|
-
rspec-core (2.12.2)
|
|
17
|
-
rspec-expectations (2.12.1)
|
|
18
|
-
diff-lcs (~> 1.1.3)
|
|
19
|
-
rspec-mocks (2.12.1)
|
|
20
|
-
|
|
21
|
-
PLATFORMS
|
|
22
|
-
ruby
|
|
23
|
-
|
|
24
|
-
DEPENDENCIES
|
|
25
|
-
heredoc_unindent
|
|
26
|
-
rake
|
|
27
|
-
rspec
|
|
28
|
-
safe_yaml!
|