safe_yaml 0.6.3 → 0.7.0

data/README.md

@@ -99,14 +99,15 @@ The way that SafeYAML works is by restricting the kinds of objects that can be d
 - Booleans
 - Nils
 
-Additionally, deserialization of symbols can be enabled by calling `YAML.enable_symbol_parsing!`.
+Additionally, deserialization of symbols can be enabled by calling `YAML.enable_symbol_parsing!` (for example, in an initializer).
 
 Known Issues
 ------------
 
 Also note that some Ruby libraries, particularly those requiring inter-process communication, leverage YAML's object deserialization functionality and therefore may break or otherwise be impacted by SafeYAML. The following list includes known instances of SafeYAML's interaction with other Ruby gems:
 
-- **Guard**: Uses YAML as a serialization format for notifications. The data serialized uses symbol keys, so calling `YAML.enable_symbol_parsing!` is necessary to allow Guard to work.
+- [**Guard**](https://github.com/guard/guard): Uses YAML as a serialization format for notifications. The data serialized uses symbolic keys, so calling `YAML.enable_symbol_parsing!` is necessary to allow Guard to work.
+- [**sidekiq**](https://github.com/mperham/sidekiq): Uses a YAML configiuration file with symbolic keys, so calling `YAML.enable_symbol_parsing!` should allow it to work.
 
 The above list will grow over time, as more issues are discovered.
 
@@ -119,3 +120,5 @@ Requirements
 ------------
 
 SafeYAML requires Ruby 1.8.7 or newer and works with both [Syck](http://www.ruby-doc.org/stdlib-1.8.7/libdoc/yaml/rdoc/YAML.html) and [Psych](http://github.com/tenderlove/psych).
+
+If you are using a version of Ruby where Psych is the default YAML engine (e.g., 1.9.3) but you want to use Syck, be sure to set `YAML::ENGINE.yamler = "syck"` **before** requiring the safe_yaml gem.

data/lib/safe_yaml.rb

@@ -10,6 +10,9 @@ require "safe_yaml/transform"
 require "safe_yaml/version"
 
 module SafeYAML
+  MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1
+  YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
+
   OPTIONS = {
     :enable_symbol_parsing => false,
     :enable_arbitrary_object_deserialization => false,
@@ -18,14 +21,11 @@ module SafeYAML
 end
 
 module YAML
-  def self.load_with_options(yaml, options={})
+  def self.load_with_options(yaml, *filename_and_options)
+    options   = filename_and_options.last || {}
     safe_mode = safe_mode_from_options("load", options)
-
     arguments = [yaml]
-    if RUBY_VERSION >= "1.9.3"
-      arguments << options[:filename]
-    end
-
+    arguments << filename_and_options.first if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
     safe_mode ? safe_load(*arguments) : unsafe_load(*arguments)
   end
 
@@ -34,15 +34,16 @@ module YAML
     safe_mode ? safe_load_file(file) : unsafe_load_file(file)
   end
 
-  def self.load_with_filename_and_options(yaml, filename=nil, options={})
-    load_with_options(yaml, options.merge(:filename => filename))
-  end
-
-  if RUBY_VERSION >= "1.9.3"
+  if SafeYAML::YAML_ENGINE == "psych"
     require "safe_yaml/psych_handler"
     def self.safe_load(yaml, filename=nil)
       safe_handler = SafeYAML::PsychHandler.new
-      Psych::Parser.new(safe_handler).parse(yaml, filename)
+      parser = Psych::Parser.new(safe_handler)
+      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+        parser.parse(yaml, filename)
+      else
+        parser.parse(yaml)
+      end
       return safe_handler.result
     end
 
@@ -51,25 +52,13 @@ module YAML
     end
 
     def self.unsafe_load_file(filename)
-      # https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298
-      File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load f, filename }
-    end
-
-  elsif RUBY_VERSION == "1.9.2"
-    require "safe_yaml/psych_handler"
-    def self.safe_load(yaml)
-      safe_handler = SafeYAML::PsychHandler.new
-      Psych::Parser.new(safe_handler).parse(yaml)
-      return safe_handler.result
-    end
-
-    def self.safe_load_file(filename)
-      File.open(filename, 'r:bom|utf-8') { |f| self.safe_load f }
-    end
-
-    def self.unsafe_load_file(filename)
-      # https://github.com/tenderlove/psych/blob/v1.2.0/lib/psych.rb#L228-230
-      File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load f }
+      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+        # https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298
+        File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load f, filename }
+      else
+        # https://github.com/tenderlove/psych/blob/v1.2.2/lib/psych.rb#L231-233
+        self.unsafe_load File.open(filename)
+      end
     end
 
   else
@@ -92,13 +81,7 @@ module YAML
 
   class << self
     alias_method :unsafe_load, :load
-
-    if RUBY_VERSION >= "1.9.3"
-      alias_method :load, :load_with_filename_and_options
-    else
-      alias_method :load, :load_with_options
-    end
-
+    alias_method :load, :load_with_options
     alias_method :load_file, :load_file_with_options
 
     def enable_symbol_parsing?
@@ -124,18 +107,18 @@ module YAML
     def disable_arbitrary_object_deserialization!
       SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization] = false
     end
-  end
 
-  private
-  def self.safe_mode_from_options(method, options={})
-    safe_mode = options[:safe]
+    private
+    def safe_mode_from_options(method, options={})
+      safe_mode = options[:safe]
 
-    if safe_mode.nil?
-      mode = SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization] ? "unsafe" : "safe"
-      Kernel.warn "Called '#{method}' without the :safe option -- defaulting to #{mode} mode." unless SafeYAML::OPTIONS[:suppress_warnings]
-      safe_mode = !SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization]
-    end
+      if safe_mode.nil?
+        mode = SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization] ? "unsafe" : "safe"
+        Kernel.warn "Called '#{method}' without the :safe option -- defaulting to #{mode} mode." unless SafeYAML::OPTIONS[:suppress_warnings]
+        safe_mode = !SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization]
+      end
 
-    safe_mode
+      safe_mode
+    end
   end
 end

data/lib/safe_yaml/psych_handler.rb

@@ -1,4 +1,5 @@
 require "psych"
+require "base64"
 
 module SafeYAML
   class PsychHandler < Psych::Handler
@@ -13,8 +14,8 @@ module SafeYAML
       @result
     end
 
-    def add_to_current_structure(value, anchor=nil, quoted=nil)
-      value = Transform.to_proper_type(value, quoted)
+    def add_to_current_structure(value, anchor=nil, quoted=nil, tag=nil)
+      value = Transform.to_proper_type(value, quoted, tag)
 
       @anchors[anchor] = value if anchor
 
@@ -62,7 +63,7 @@ module SafeYAML
     end
 
     def scalar(value, anchor, tag, plain, quoted, style)
-      add_to_current_structure(value, anchor, quoted)
+      add_to_current_structure(value, anchor, quoted, tag)
     end
 
     def start_mapping(anchor, tag, implicit, style)

data/lib/safe_yaml/syck_resolver.rb

@@ -41,7 +41,7 @@ module SafeYAML
     end
 
     def resolve_scalar(node)
-      Transform.to_proper_type(node.value, QUOTE_STYLES.include?(node.instance_variable_get(:@style)))
+      Transform.to_proper_type(node.value, QUOTE_STYLES.include?(node.instance_variable_get(:@style)), node.type_id)
     end
   end
 end

data/lib/safe_yaml/transform.rb

@@ -1,3 +1,5 @@
+require 'base64'
+
 module SafeYAML
   class Transform
     TRANSFORMERS = [
@@ -10,7 +12,7 @@ module SafeYAML
       Transform::ToTime.new
     ]
 
-    def self.to_proper_type(value, quoted=false)
+    def self.to_guessed_type(value, quoted=false)
       return value if quoted
 
       if value.is_a?(String)
@@ -22,5 +24,16 @@ module SafeYAML
 
       value
     end
+    
+    def self.to_proper_type(value, quoted=false,tag=nil)
+      case tag
+      when "tag:yaml.org,2002:binary"
+        return Base64.decode64(value)
+      when "x-private:binary"
+        return Base64.decode64(value)
+      else
+        return self.to_guessed_type(value, quoted)
+      end
+    end
   end
 end

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.6.3"
+  VERSION = "0.7.0"
 end

data/run_specs_all_ruby_versions.sh

@@ -6,10 +6,16 @@ rvm use 1.8.7@safe_yaml
 rake spec
 
 rvm use 1.9.2@safe_yaml
-rake spec
+YAMLER=syck rake spec
 
 rvm use 1.9.3@safe_yaml
-rake spec
+YAMLER=syck rake spec
+
+rvm use 1.9.2@safe_yaml
+YAMLER=psych rake spec
+
+rvm use 1.9.3@safe_yaml
+YAMLER=psych rake spec
 
 rvm use 2.0.0@safe_yaml
-rake spec
+YAMLER=psych rake spec

data/spec/psych_handler_spec.rb

@@ -1,6 +1,6 @@
 require File.join(File.dirname(__FILE__), "spec_helper")
 
-if RUBY_VERSION >= "1.9.2"
+if SafeYAML::YAML_ENGINE == "psych"
   require "safe_yaml/psych_handler"
 
   describe SafeYAML::PsychHandler do

data/spec/safe_yaml_spec.rb

@@ -16,7 +16,7 @@ describe YAML do
   end
 
   describe "unsafe_load" do
-    if RUBY_VERSION >= "1.9.3"
+    if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3"
       it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do
         backdoor = YAML.unsafe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
         backdoor.should be_exploited_through_setter
@@ -45,6 +45,33 @@ describe YAML do
       object.should_not be_a(ExploitableBackDoor)
     end
 
+    context "for YAML engine #{SafeYAML::YAML_ENGINE}" do
+      if SafeYAML::YAML_ENGINE == "psych"
+        let(:arguments) {
+          if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+            ["foo: bar", nil]
+          else
+            ["foo: bar"]
+          end
+        }
+        it "uses Psych internally to parse YAML" do
+          stub_parser = stub(Psych::Parser)
+          Psych::Parser.stub(:new).and_return(stub_parser)
+          stub_parser.should_receive(:parse).with(*arguments)
+          # This won't work now; we just want to ensure Psych::Parser#parse was in fact called.
+          YAML.safe_load(*arguments)
+        end
+      end
+
+      if SafeYAML::YAML_ENGINE == "syck"
+        it "uses Syck internally to parse YAML" do
+          YAML.should_receive(:parse).with("foo: bar")
+          # This won't work now; we just want to ensure YAML::parse was in fact called.
+          YAML.safe_load("foo: bar") rescue nil
+        end
+      end
+    end
+
     it "loads a plain ol' YAML document just fine" do
       result = YAML.safe_load <<-YAML.unindent
         foo:
@@ -76,6 +103,30 @@ describe YAML do
       result.should == [{}, {}, {}]
     end
 
+    it "works for YAML documents with binary tagged keys" do
+      result = YAML.safe_load <<-YAML
+        ? !!binary >
+          Zm9v
+        : "bar"
+        ? !!binary >
+          YmFy
+        : "baz"
+      YAML
+
+      result.should == {"foo" => "bar", "bar" => "baz"}
+    end
+
+    it "works for YAML documents with binary tagged values" do
+      result = YAML.safe_load <<-YAML
+        "foo": !!binary >
+          YmFy
+        "bar": !!binary >
+          YmF6
+      YAML
+
+      result.should == {"foo" => "bar", "bar" => "baz"}
+    end
+
     it "works for YAML documents with sections" do
       result = YAML.safe_load <<-YAML
         mysql: &mysql
@@ -134,12 +185,14 @@ describe YAML do
   end
 
   describe "unsafe_load_file" do
-    if RUBY_VERSION >= "1.9.3"
+    if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3"
       it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do
         backdoor = YAML.unsafe_load_file "spec/exploit.1.9.3.yaml"
         backdoor.should be_exploited_through_setter
       end
+    end
 
+    if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.2"
       it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do
         backdoor = YAML.unsafe_load_file "spec/exploit.1.9.2.yaml"
         backdoor.should be_exploited_through_init_with
@@ -166,7 +219,7 @@ describe YAML do
 
   describe "load" do
     let (:arguments) {
-      if RUBY_VERSION >= "1.9.3"
+      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
         ["foo: bar", nil]
       else
         ["foo: bar"]

data/spec/shared_specs.rb

@@ -161,6 +161,7 @@ module SharedSpecs
         end
       end
 
+      # This does in fact appear to be a Ruby version thing as opposed to a YAML engine thing.
       context "for Ruby version #{RUBY_VERSION}" do
         if RUBY_VERSION >= "1.9.2"
           it "translates valid time values" do

data/spec/spec_helper.rb

@@ -4,6 +4,12 @@ ROOT = File.join(HERE, "..")
 $LOAD_PATH << File.join(ROOT, "lib")
 $LOAD_PATH << File.join(HERE, "support")
 
+if ENV["YAMLER"]
+  require "yaml"
+  YAML::ENGINE.yamler = ENV["YAMLER"]
+  puts "Running specs in Ruby #{RUBY_VERSION} with '#{YAML::ENGINE.yamler}' YAML engine."
+end
+
 require "safe_yaml"
 require "heredoc_unindent"
 

data/spec/syck_resolver_spec.rb

@@ -1,6 +1,6 @@
 require File.join(File.dirname(__FILE__), "spec_helper")
 
-if RUBY_VERSION < "1.9.2"
+if SafeYAML::YAML_ENGINE == "syck"
   require "safe_yaml/syck_resolver"
 
   describe SafeYAML::SyckResolver do

data/spec/transform/to_time_spec.rb

@@ -1,7 +1,7 @@
 require File.join(File.dirname(__FILE__), "..", "spec_helper")
 
 describe SafeYAML::Transform::ToTime do
-  # YAML don't parse times prior to 1.9.
+  # It seems both Psych and Syck parse times starting w/ Ruby 1.9.2.
   if RUBY_VERSION >= "1.9.2"
     it "returns true when the value matches a valid Time" do
       subject.transform?("2013-01-01 10:00:00")[0].should == true

metadata

@@ -1,23 +1,32 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: safe_yaml
-version: !ruby/object:Gem::Version
-  version: 0.6.3
+version: !ruby/object:Gem::Version 
+  hash: 3
   prerelease: 
+  segments: 
+  - 0
+  - 7
+  - 0
+  version: 0.7.0
 platform: ruby
-authors:
+authors: 
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-06 00:00:00.000000000 Z
+
+date: 2013-02-08 00:00:00 Z
 dependencies: []
-description: Parse YAML safely, without that pesky arbitrary object deserialization
-  vulnerability
+
+description: Parse YAML safely, without that pesky arbitrary object deserialization vulnerability
 email: daniel.tao@gmail.com
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - .gitignore
 - .travis.yml
 - Gemfile
@@ -52,32 +61,41 @@ files:
 - spec/transform/to_symbol_spec.rb
 - spec/transform/to_time_spec.rb
 homepage: http://dtao.github.com/safe_yaml/
-licenses:
+licenses: 
 - MIT
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 57
+      segments: 
+      - 1
+      - 8
+      - 7
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
-summary: SameYAML provides an alternative implementation of YAML.load suitable for
-  accepting user input in Ruby applications.
-test_files:
+summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
+test_files: 
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
 - spec/psych_handler_spec.rb