safe_yaml 0.7.1 → 0.8.0

data/Gemfile

@@ -1,8 +1,9 @@
-source :rubygems
+source "https://rubygems.org"
 
 gemspec
 
 group :development do
+  gem "hashie"
   gem "heredoc_unindent"
   gem "rake"
   gem "rspec"

data/README.md

@@ -3,7 +3,7 @@ SafeYAML
 
 [![Build Status](https://travis-ci.org/dtao/safe_yaml.png)](http://travis-ci.org/dtao/safe_yaml)
 
-The **SafeYAML** gem provides an alternative implementation of `YAML.load` suitable for accepting user input in Ruby applications. Unlike Ruby's built-in implementation of `YAML.load`, SafeYAML's version will not expose apps to arbitrary code execution exploits (such as [the one recently discovered in Rails](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/) (or [this one](http://www.h-online.com/open/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html))).
+The **SafeYAML** gem provides an alternative implementation of `YAML.load` suitable for accepting user input in Ruby applications. Unlike Ruby's built-in implementation of `YAML.load`, SafeYAML's version will not expose apps to arbitrary code execution exploits (such as [the ones recently](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/) [discovered in Rails](http://www.h-online.com/open/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html)).
 
 Installation
 ------------
@@ -47,11 +47,12 @@ Now, if you were to use `YAML.load` on user input anywhere in your application w
 
 Observe:
 
-    > yaml = <<-EOYAML
-    > --- !ruby/hash:ExploitableClassBuilder
-    > "foo; end; puts %(I'm in yr system!); def bar": "baz"
-    > EOYAML
-    => "--- !ruby/hash:ExploitableClassBuilder\n\"foo; end; puts %(I'm in yr system!); def bar\": \"baz\"\n"
+```ruby
+yaml = <<-EOYAML
+--- !ruby/hash:ExploitableClassBuilder
+"foo; end; puts %(I'm in yr system!); def bar": "baz"
+EOYAML
+```
 
     > YAML.load(yaml)
     I'm in yr system!
@@ -61,7 +62,7 @@ With SafeYAML, that attacker would be thwarted:
 
     > require "safe_yaml"
     => true
-    > YAML.load(yaml)
+    > YAML.safe_load(yaml)
     => {"foo; end; puts %(I'm in yr system!); def bar"=>"baz"}
 
 Usage
@@ -73,20 +74,22 @@ Usage
 
 By default, when you require the safe_yaml gem in your project, `YAML.load` is patched to internally call `safe_load`. The patched method also accepts a `:safe` flag to specify which version to use:
 
-    # Ruby >= 1.9.3
-    YAML.load(yaml, filename, :safe => true) # calls safe_load
-    YAML.load(yaml, filename, :safe => false) # calls unsafe_load
+```ruby
+# Ruby >= 1.9.3
+YAML.load(yaml, filename, :safe => true) # calls safe_load
+YAML.load(yaml, filename, :safe => false) # calls unsafe_load
 
-    # Ruby < 1.9.3
-    YAML.load(yaml, :safe => true) # calls safe_load
-    YAML.load(yaml, :safe => false) # calls unsafe_load
+# Ruby < 1.9.3
+YAML.load(yaml, :safe => true) # calls safe_load
+YAML.load(yaml, :safe => false) # calls unsafe_load
+```
 
-The default behavior can be switched to unsafe loading by calling `YAML.enable_arbitrary_object_deserialization!`. In this case, the `:safe` flag still has the same effect, but the defaults are reversed (so calling `YAML.load` will have the same behavior as if the safe_yaml gem weren't required).
+The default behavior can be switched to unsafe loading by calling `SafeYAML::OPTIONS[:default_mode] = :unsafe`. In this case, the `:safe` flag still has the same effect, but the defaults are reversed (so calling `YAML.load` will have the same behavior as if the safe_yaml gem weren't required).
 
-This gem will also warn you whenever you use `YAML.load` without specifying the `:safe` option. If you do not want to see these messages in your logs, you can say `SafeYAML::OPTIONS[:suppress_warnings] = true` in an initializer.
+This gem will also warn you whenever you use `YAML.load` without specifying the `:safe` option, or if you have not explicitly specified a default mode using the `:default_mode` option.
 
-Notes
------
+Supported Types
+---------------
 
 The way that SafeYAML works is by restricting the kinds of objects that can be deserialized via `YAML.load`. More specifically, only the following types of objects can be deserialized by default:
 
@@ -99,15 +102,46 @@ The way that SafeYAML works is by restricting the kinds of objects that can be d
 - Booleans
 - Nils
 
-Additionally, deserialization of symbols can be enabled by calling `YAML.enable_symbol_parsing!` (for example, in an initializer).
+Deserialization of symbols can also be enabled by setting `SafeYAML::OPTIONS[:deserialize_symbols] = true` (for example, in an initializer). Be aware, however, that symbols in Ruby are not garbage-collected; therefore enabling symbol deserialization in your application may leave you vulnerable to [DOS attacks](http://en.wikipedia.org/wiki/Denial-of-service_attack).
+
+Whitelisting Trusted Types
+--------------------------
+
+SafeYAML now also supports **whitelisting** certain YAML tags for trusted types. This is handy when your application may use YAML to serialize and deserialize certain types not listed above, which you know to be free of any deserialization-related vulnerabilities. You can whitelist tags via the `:whitelisted_tags` option:
+
+```ruby
+# Using Syck (unfortunately, Syck and Psych use different tagging schemes)
+SafeYAML::OPTIONS[:whitelisted_tags] = ["tag:ruby.yaml.org,2002:object:OpenStruct"]
+
+# Using Psych
+SafeYAML::OPTIONS[:whitelisted_tags] = ["!ruby/object:OpenStruct"]
+```
+
+When SafeYAML encounters whitelisted tags in a YAML document, it will default to the deserialization capabilities of the underlying YAML engine (i.e., either Syck or Psych).
+
+**However**, this feature will *not* allow would-be attackers to embed untrusted types within trusted types:
+
+```ruby
+yaml = <<-EOYAML
+--- !ruby/object:OpenStruct 
+table: 
+  :backdoor: !ruby/hash:ExploitableClassBuilder 
+    "foo; end; puts %(I'm in yr system!); def bar": "baz"
+EOYAML
+```
+
+    > YAML.safe_load(yaml)
+    => #<OpenStruct :backdoor={"foo; end; puts %(I'm in yr system!); def bar"=>"baz"}>
+
+Pretty sweet, right?
 
 Known Issues
 ------------
 
-Also note that some Ruby libraries, particularly those requiring inter-process communication, leverage YAML's object deserialization functionality and therefore may break or otherwise be impacted by SafeYAML. The following list includes known instances of SafeYAML's interaction with other Ruby gems:
+Be aware that some Ruby libraries, particularly those requiring inter-process communication, leverage YAML's object deserialization functionality and therefore may break or otherwise be impacted by SafeYAML. The following list includes known instances of SafeYAML's interaction with other Ruby gems:
 
-- [**Guard**](https://github.com/guard/guard): Uses YAML as a serialization format for notifications. The data serialized uses symbolic keys, so calling `YAML.enable_symbol_parsing!` is necessary to allow Guard to work.
-- [**sidekiq**](https://github.com/mperham/sidekiq): Uses a YAML configiuration file with symbolic keys, so calling `YAML.enable_symbol_parsing!` should allow it to work.
+- [**Guard**](https://github.com/guard/guard): Uses YAML as a serialization format for notifications. The data serialized uses symbolic keys, so setting `SafeYAML::OPTIONS[:deserialize_symbols] = true` is necessary to allow Guard to work.
+- [**sidekiq**](https://github.com/mperham/sidekiq): Uses a YAML configiuration file with symbolic keys, so setting `SafeYAML::OPTIONS[:deserialize_symbols] = true` should allow it to work.
 
 The above list will grow over time, as more issues are discovered.
 

data/lib/safe_yaml.rb

@@ -7,17 +7,25 @@ require "safe_yaml/transform/to_nil"
 require "safe_yaml/transform/to_symbol"
 require "safe_yaml/transform/to_time"
 require "safe_yaml/transform"
-require "safe_yaml/version"
+require "safe_yaml/resolver"
 
 module SafeYAML
   MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1
   YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
 
-  OPTIONS = {
-    :enable_symbol_parsing => false,
-    :enable_arbitrary_object_deserialization => false,
-    :suppress_warnings => false
-  }
+  DEFAULT_OPTIONS = {
+    :custom_initializers => {},
+    :default_mode        => nil,
+    :deserialize_symbols => false,
+    :whitelisted_tags    => []
+  }.freeze
+
+  OPTIONS = DEFAULT_OPTIONS.dup
+
+  module_function
+  def reset_defaults!
+    OPTIONS.merge!(DEFAULT_OPTIONS)
+  end
 end
 
 module YAML
@@ -26,25 +34,25 @@ module YAML
     safe_mode = safe_mode_from_options("load", options)
     arguments = [yaml]
     arguments << filename_and_options.first if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
-    safe_mode ? safe_load(*arguments) : unsafe_load(*arguments)
+    safe_mode == :safe ? safe_load(*arguments) : unsafe_load(*arguments)
   end
 
   def self.load_file_with_options(file, options={})
     safe_mode = safe_mode_from_options("load_file", options)
-    safe_mode ? safe_load_file(file) : unsafe_load_file(file)
+    safe_mode == :safe ? safe_load_file(file) : unsafe_load_file(file)
   end
 
   if SafeYAML::YAML_ENGINE == "psych"
-    require "safe_yaml/psych_handler"
+    require "safe_yaml/psych_visitor"
+    require "safe_yaml/psych_resolver"
     def self.safe_load(yaml, filename=nil)
-      safe_handler = SafeYAML::PsychHandler.new
-      parser = Psych::Parser.new(safe_handler)
-      if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
-        parser.parse(yaml, filename)
+      safe_resolver = SafeYAML::PsychResolver.new
+      tree = if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
+        Psych.parse(yaml, filename)
       else
-        parser.parse(yaml)
+        Psych.parse(yaml)
       end
-      return safe_handler.result
+      return safe_resolver.resolve_node(tree)
     end
 
     def self.safe_load_file(filename)
@@ -63,10 +71,12 @@ module YAML
 
   else
     require "safe_yaml/syck_resolver"
+    require "safe_yaml/syck_node_monkeypatch"
+
     def self.safe_load(yaml)
-      safe_resolver = SafeYAML::SyckResolver.new
+      resolver = SafeYAML::SyckResolver.new
       tree = YAML.parse(yaml)
-      return safe_resolver.resolve_node(tree)
+      return resolver.resolve_node(tree)
     end
 
     def self.safe_load_file(filename)
@@ -85,40 +95,49 @@ module YAML
     alias_method :load_file, :load_file_with_options
 
     def enable_symbol_parsing?
-      SafeYAML::OPTIONS[:enable_symbol_parsing]
+      warn_of_deprecated_method("set the SafeYAML::OPTIONS[:deserialize_symbols] option instead")
+      SafeYAML::OPTIONS[:deserialize_symbols]
     end
 
     def enable_symbol_parsing!
-      SafeYAML::OPTIONS[:enable_symbol_parsing] = true
+      warn_of_deprecated_method("set the SafeYAML::OPTIONS[:deserialize_symbols] option instead")
+      SafeYAML::OPTIONS[:deserialize_symbols] = true
     end
 
     def disable_symbol_parsing!
-      SafeYAML::OPTIONS[:enable_symbol_parsing] = false
+      warn_of_deprecated_method("set the SafeYAML::OPTIONS[:deserialize_symbols] option instead")
+      SafeYAML::OPTIONS[:deserialize_symbols] = false
     end
 
     def enable_arbitrary_object_deserialization?
-      SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization]
+      warn_of_deprecated_method("set the SafeYAML::OPTIONS[:default_mode] to either :safe or :unsafe")
+      SafeYAML::OPTIONS[:default_mode] == :unsafe
     end
 
     def enable_arbitrary_object_deserialization!
-      SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization] = true
+      warn_of_deprecated_method("set the SafeYAML::OPTIONS[:default_mode] to either :safe or :unsafe")
+      SafeYAML::OPTIONS[:default_mode] = :unsafe
     end
 
     def disable_arbitrary_object_deserialization!
-      SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization] = false
+      warn_of_deprecated_method("set the SafeYAML::OPTIONS[:default_mode] to either :safe or :unsafe")
+      SafeYAML::OPTIONS[:default_mode] = :safe
     end
 
     private
     def safe_mode_from_options(method, options={})
-      safe_mode = options[:safe]
-
-      if safe_mode.nil?
-        mode = SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization] ? "unsafe" : "safe"
-        Kernel.warn "Called '#{method}' without the :safe option -- defaulting to #{mode} mode." unless SafeYAML::OPTIONS[:suppress_warnings]
-        safe_mode = !SafeYAML::OPTIONS[:enable_arbitrary_object_deserialization]
+      if options[:safe].nil?
+        safe_mode = SafeYAML::OPTIONS[:default_mode] || :safe
+        Kernel.warn "Called '#{method}' without the :safe option -- defaulting to #{safe_mode} mode." if SafeYAML::OPTIONS[:default_mode].nil?
+        return safe_mode
       end
 
-      safe_mode
+      options[:safe] ? :safe : :unsafe
+    end
+
+    def warn_of_deprecated_method(message)
+      method = caller.first[/`([^']*)'$/, 1]
+      Kernel.warn("The method 'YAML.#{method}' is deprecated and will be removed in the next release of SafeYAML -- #{message}.")
     end
   end
 end

data/lib/safe_yaml/psych_resolver.rb

@@ -0,0 +1,52 @@
+module SafeYAML
+  class PsychResolver < Resolver
+    NODE_TYPES = {
+      Psych::Nodes::Document => :root,
+      Psych::Nodes::Mapping  => :map,
+      Psych::Nodes::Sequence => :seq,
+      Psych::Nodes::Scalar   => :scalar,
+      Psych::Nodes::Alias    => :alias
+    }.freeze
+
+    def initialize
+      super()
+      @aliased_nodes = {}
+    end
+
+    def resolve_root(root)
+      resolve_seq(root).first
+    end
+
+    def resolve_alias(node)
+      resolve_node(@aliased_nodes[node.anchor])
+    end
+
+    def native_resolve(node)
+      @visitor ||= SafeYAML::PsychVisitor.new(self)
+      @visitor.accept(node)
+    end
+
+    def get_node_type(node)
+      NODE_TYPES[node.class]
+    end
+
+    def get_node_tag(node)
+      node.tag
+    end
+
+    def get_node_value(node)
+      @aliased_nodes[node.anchor] = node if node.respond_to?(:anchor) && node.anchor
+
+      case get_node_type(node)
+      when :root, :map, :seq
+        node.children
+      when :scalar
+        node.value
+      end
+    end
+
+    def value_is_quoted?(node)
+      node.quoted
+    end
+  end
+end

data/lib/safe_yaml/psych_visitor.rb

@@ -0,0 +1,13 @@
+module SafeYAML
+  class PsychVisitor < Psych::Visitors::ToRuby
+    def initialize(resolver)
+      super()
+      @resolver = resolver
+    end
+
+    def accept(node)
+      return super if @resolver.tag_is_whitelisted?(@resolver.get_node_tag(node))
+      @resolver.resolve_node(node)
+    end
+  end
+end

data/lib/safe_yaml/resolver.rb

@@ -0,0 +1,82 @@
+module SafeYAML
+  class Resolver
+    def initialize
+      @whitelist    = SafeYAML::OPTIONS[:whitelisted_tags] || []
+      @initializers = SafeYAML::OPTIONS[:custom_initializers] || {}
+    end
+
+    def resolve_node(node)
+      case self.get_node_type(node)
+      when :root
+        resolve_root(node)
+      when :map
+        resolve_map(node)
+      when :seq
+        resolve_seq(node)
+      when :scalar
+        resolve_scalar(node)
+      when :alias
+        resolve_alias(node)
+      else
+        raise "Don't know how to resolve this node: #{node.inspect}"
+      end
+    end
+
+    def resolve_map(node)
+      tag = self.get_node_tag(node)
+      return self.native_resolve(node) if tag_is_whitelisted?(tag)
+
+      hash = @initializers.include?(tag) ? @initializers[tag].call : {}
+
+      map = normalize_map(self.get_node_value(node))
+
+      # Take the "<<" key nodes first, as these are meant to approximate a form of inheritance.
+      inheritors = map.select { |key_node, value_node| resolve_node(key_node) == "<<" }
+      inheritors.each do |key_node, value_node|
+        merge_into_hash(hash, resolve_node(value_node))
+      end
+
+      # All that's left should be normal (non-"<<") nodes.
+      (map - inheritors).each do |key_node, value_node|
+        hash[resolve_node(key_node)] = resolve_node(value_node)
+      end
+
+      return hash
+    end
+
+    def resolve_seq(node)
+      seq = self.get_node_value(node)
+
+      tag = get_node_tag(node)
+      arr = @initializers.include?(tag) ? @initializers[tag].call : []
+
+      seq.inject(arr) { |array, node| array << resolve_node(node) }
+    end
+
+    def resolve_scalar(node)
+      Transform.to_proper_type(self.get_node_value(node), self.value_is_quoted?(node), self.get_node_tag(node))
+    end
+
+    def tag_is_whitelisted?(tag)
+      @whitelist.include?(tag)
+    end
+
+    private
+    def normalize_map(map)
+      # Syck creates Hashes from maps.
+      if map.is_a?(Hash)
+        map.inject([]) { |arr, key_and_value| arr << key_and_value }
+
+      # Psych is really weird; it flattens out a Hash completely into: [key, value, key, value, ...]
+      else
+        map.each_slice(2).to_a
+      end
+    end
+
+    def merge_into_hash(hash, array)
+      array.each do |key, value|
+        hash[key] = value
+      end
+    end
+  end
+end

data/lib/safe_yaml/syck_node_monkeypatch.rb

@@ -0,0 +1,17 @@
+monkeypatch = <<-EORUBY
+  class Node
+    def safe_transform
+      return unsafe_transform if SafeYAML::OPTIONS[:whitelisted_tags].include?(self.type_id)
+      SafeYAML::SyckResolver.new.resolve_node(self)
+    end
+
+    alias_method :unsafe_transform, :transform
+    alias_method :transform, :safe_transform
+  end
+EORUBY
+
+if defined?(YAML::Syck::Node)
+  YAML::Syck.module_eval monkeypatch
+else
+  Syck.module_eval monkeypatch
+end

data/lib/safe_yaml/syck_resolver.rb

@@ -1,49 +1,35 @@
 module SafeYAML
-  class SyckResolver
-    QUOTE_STYLES = [:quote1, :quote2]
+  class SyckResolver < Resolver
+    QUOTE_STYLES = [:quote1, :quote2].freeze
 
-    def resolve_node(node)
-      case node.value
-      when Hash
-        return resolve_map(node)
-      when Array
-        return resolve_seq(node)
-      when String
-        return resolve_scalar(node)
-      else
-        raise "Don't know how to resolve this node: #{node.inspect}"
-      end
-    end
-
-    def resolve_map(node)
-      map = node.value
+    NODE_TYPES = {
+      Hash   => :map,
+      Array  => :seq,
+      String => :scalar
+    }.freeze
 
-      hash = {}
+    def initialize
+      super()
+    end
 
-      # Take the "<<" key nodes first, as these are meant to approximate a form of inheritance.
-      inheritors = map.keys.select { |node| resolve_node(node) == "<<" }
-      inheritors.each do |key_node|
-        value_node = map[key_node]
-        hash.merge!(resolve_node(value_node))
-      end
+    def native_resolve(node)
+      node.transform
+    end
 
-      # All that's left should be normal (non-"<<") nodes.
-      normal_keys = map.keys.reject { |node| resolve_node(node) == "<<" }
-      normal_keys.each do |key_node|
-        value_node = map[key_node]
-        hash[resolve_node(key_node)] = resolve_node(value_node)
-      end
+    def get_node_type(node)
+      NODE_TYPES[node.value.class]
+    end
 
-      return hash
+    def get_node_tag(node)
+      node.type_id
     end
 
-    def resolve_seq(node)
-      seq = node.value
-      seq.map { |node| resolve_node(node) }
+    def get_node_value(node)
+      node.value
     end
 
-    def resolve_scalar(node)
-      Transform.to_proper_type(node.value, QUOTE_STYLES.include?(node.instance_variable_get(:@style)), node.type_id)
+    def value_is_quoted?(node)
+      QUOTE_STYLES.include?(node.instance_variable_get(:@style))
     end
   end
 end

data/lib/safe_yaml/transform.rb

@@ -24,15 +24,13 @@ module SafeYAML
 
       value
     end
-    
-    def self.to_proper_type(value, quoted=false,tag=nil)
+
+    def self.to_proper_type(value, quoted=false, tag=nil)
       case tag
-      when "tag:yaml.org,2002:binary"
-        return Base64.decode64(value)
-      when "x-private:binary"
-        return Base64.decode64(value)
+      when "tag:yaml.org,2002:binary", "x-private:binary", "!binary"
+        Base64.decode64(value)
       else
-        return self.to_guessed_type(value, quoted)
+        self.to_guessed_type(value, quoted)
       end
     end
   end

data/lib/safe_yaml/transform/to_symbol.rb

@@ -4,7 +4,7 @@ module SafeYAML
       MATCHER = /\A:\w+\Z/.freeze
 
       def transform?(value)
-        return false unless SafeYAML::OPTIONS[:enable_symbol_parsing] && MATCHER.match(value)
+        return false unless SafeYAML::OPTIONS[:deserialize_symbols] && MATCHER.match(value)
         return true, value[1..-1].to_sym
       end
     end

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.7.1"
+  VERSION = "0.8.0"
 end

data/spec/psych_resolver_spec.rb

@@ -0,0 +1,10 @@
+require File.join(File.dirname(__FILE__), "spec_helper")
+
+if SafeYAML::YAML_ENGINE == "psych"
+  require "safe_yaml/psych_resolver"
+
+  describe SafeYAML::PsychResolver do
+    include ResolverSpecs
+    let(:resolver) { SafeYAML::PsychResolver.new }
+  end
+end

data/spec/{shared_specs.rb → resolver_specs.rb}

@@ -1,6 +1,14 @@
-module SharedSpecs
+module ResolverSpecs
   def self.included(base)
-    base.instance_eval do
+    base.module_eval do
+      let(:resolver) { nil }
+      let(:result) { @result }
+
+      def parse(yaml)
+        tree = YAML.parse(yaml.unindent)
+        @result = resolver.resolve_node(tree)
+      end
+
       context "by default" do
         it "translates maps to hashes" do
           parse <<-YAML
@@ -190,13 +198,13 @@ module SharedSpecs
         end
       end
 
-      context "with symbol parsing enabled" do
+      context "with symbol deserialization enabled" do
         before :each do
-          YAML.enable_symbol_parsing!
+          SafeYAML::OPTIONS[:deserialize_symbols] = true
         end
 
         after :each do
-          YAML.disable_symbol_parsing!
+          SafeYAML.reset_defaults!
         end
 
         it "translates values starting with ':' to symbols" do

data/spec/safe_yaml_spec.rb

@@ -12,7 +12,7 @@ describe YAML do
   end
 
   before :each do
-    YAML.disable_symbol_parsing!
+    SafeYAML::OPTIONS[:deserialize_symbols] = false
   end
 
   describe "unsafe_load" do
@@ -32,6 +32,32 @@ describe YAML do
       backdoor = YAML.unsafe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n")
       backdoor.should be_exploited_through_ivars
     end
+
+    context "with special whitelisted tags defined" do
+      before :each do
+        if SafeYAML::YAML_ENGINE == "psych"
+          SafeYAML::OPTIONS[:whitelisted_tags] = ["!ruby/object:OpenStruct"]
+        else
+          SafeYAML::OPTIONS[:whitelisted_tags] = ["tag:ruby.yaml.org,2002:object:OpenStruct"]
+        end
+      end
+
+      after :each do
+        SafeYAML.reset_defaults!
+      end
+
+      it "effectively ignores the whitelist (since everything is whitelisted)" do
+        result = YAML.unsafe_load <<-YAML.unindent
+          --- !ruby/object:OpenStruct 
+          table: 
+            :backdoor: !ruby/object:ExploitableBackDoor 
+              foo: bar
+        YAML
+
+        result.should be_a(OpenStruct)
+        result.backdoor.should be_exploited_through_ivars
+      end
+    end
   end
 
   describe "safe_load" do
@@ -54,12 +80,11 @@ describe YAML do
             ["foo: bar"]
           end
         }
+
         it "uses Psych internally to parse YAML" do
-          stub_parser = stub(Psych::Parser)
-          Psych::Parser.stub(:new).and_return(stub_parser)
-          stub_parser.should_receive(:parse).with(*arguments)
+          Psych.should_receive(:parse).with(*arguments)
           # This won't work now; we just want to ensure Psych::Parser#parse was in fact called.
-          YAML.safe_load(*arguments)
+          YAML.safe_load(*arguments) rescue nil
         end
       end
 
@@ -127,6 +152,17 @@ describe YAML do
       result.should == {"foo" => "bar", "bar" => "baz"}
     end
 
+    it "works for YAML documents with binary tagged array values" do
+      result = YAML.safe_load <<-YAML
+        - !binary |-
+          Zm9v
+        - !binary |-
+          YmFy
+      YAML
+
+      result.should == ["foo", "bar"]
+    end
+
     it "works for YAML documents with sections" do
       result = YAML.safe_load <<-YAML
         mysql: &mysql
@@ -203,6 +239,87 @@ describe YAML do
         "grandcustom" => { "foo" => "foo", "bar" => "custom_bar", "baz" => "custom_baz" }
       }
     end
+
+    context "with custom initializers defined" do
+      before :each do
+        if SafeYAML::YAML_ENGINE == "psych"
+          SafeYAML::OPTIONS[:custom_initializers] = {
+            "!set" => lambda { Set.new },
+            "!hashiemash" => lambda { Hashie::Mash.new }
+          }
+        else
+          SafeYAML::OPTIONS[:custom_initializers] = {
+            "tag:yaml.org,2002:set" => lambda { Set.new },
+            "tag:yaml.org,2002:hashiemash" => lambda { Hashie::Mash.new }
+          }
+        end
+      end
+
+      after :each do
+        SafeYAML.reset_defaults!
+      end
+
+      it "will use a custom initializer to instantiate an array-like class upon deserialization" do
+        result = YAML.safe_load <<-YAML.unindent
+          --- !set
+          - 1
+          - 2
+          - 3
+        YAML
+
+        result.should be_a(Set)
+        result.to_a.should =~ [1, 2, 3]
+      end
+
+      it "will use a custom initializer to instantiate a hash-like class upon deserialization" do
+        result = YAML.safe_load <<-YAML.unindent
+          --- !hashiemash
+          foo: bar
+        YAML
+
+        result.should be_a(Hashie::Mash)
+        result.to_hash.should == { "foo" => "bar" }
+      end
+    end
+
+    context "with special whitelisted tags defined" do
+      before :each do
+        if SafeYAML::YAML_ENGINE == "psych"
+          SafeYAML::OPTIONS[:whitelisted_tags] = ["!ruby/object:OpenStruct"]
+        else
+          SafeYAML::OPTIONS[:whitelisted_tags] = ["tag:ruby.yaml.org,2002:object:OpenStruct"]
+        end
+      end
+
+      after :each do
+        SafeYAML.reset_defaults!
+      end
+
+      it "will allow objects to be deserialized for whitelisted tags" do
+        result = YAML.safe_load("--- !ruby/object:OpenStruct\ntable:\n  foo: bar\n")
+        result.should be_a(OpenStruct)
+        result.instance_variable_get(:@table).should == { "foo" => "bar" }
+      end
+
+      it "will not deserialize objects without whitelisted tags" do
+        result = YAML.safe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n")
+        result.should_not be_a(ExploitableBackDoor)
+        result.should == { "foo" => "bar" }
+      end
+
+      it "will not allow non-whitelisted objects to be embedded within objects with whitelisted tags" do
+        result = YAML.safe_load <<-YAML.unindent
+          --- !ruby/object:OpenStruct 
+          table: 
+            :backdoor: !ruby/object:ExploitableBackDoor 
+              foo: bar
+        YAML
+
+        result.should be_a(OpenStruct)
+        result.backdoor.should_not be_a(ExploitableBackDoor)
+        result.instance_variable_get(:@table).should == { ":backdoor" => { "foo" => "bar" } }
+      end
+    end
   end
 
   describe "unsafe_load_file" do
@@ -247,12 +364,19 @@ describe YAML do
       end
     }
 
-    context "with :suppress_warnings set to true" do
-      before :each do SafeYAML::OPTIONS[:suppress_warnings] = true; end
-      after :each do SafeYAML::OPTIONS[:suppress_warnings] = false; end
+    context "as long as a :default_mode has been specified" do
+      after :each do
+        SafeYAML.reset_defaults!
+      end
+
+      it "doesn't issue a warning for safe mode, since an explicit mode has been set" do
+        SafeYAML::OPTIONS[:default_mode] = :safe
+        Kernel.should_not_receive(:warn)
+        YAML.load(*arguments)
+      end
 
-      it "doesn't issue a warning if :suppress_warnings option is set to true" do
-        SafeYAML::OPTIONS[:suppress_warnings] = true
+      it "doesn't issue a warning for unsafe mode, since an explicit mode has been set" do
+        SafeYAML::OPTIONS[:default_mode] = :unsafe
         Kernel.should_not_receive(:warn)
         YAML.load(*arguments)
       end
@@ -289,11 +413,11 @@ describe YAML do
 
     context "with arbitrary object deserialization enabled by default" do
       before :each do
-        YAML.enable_arbitrary_object_deserialization!
+        SafeYAML::OPTIONS[:default_mode] = :unsafe
       end
 
       after :each do
-        YAML.disable_arbitrary_object_deserialization!
+        SafeYAML.reset_defaults!
       end
 
       it "defaults to unsafe mode if the :safe option is omitted" do
@@ -344,11 +468,11 @@ describe YAML do
 
     context "with arbitrary object deserialization enabled by default" do
       before :each do
-        YAML.enable_arbitrary_object_deserialization!
+        SafeYAML::OPTIONS[:default_mode] = :unsafe
       end
 
       after :each do
-        YAML.disable_arbitrary_object_deserialization!
+        SafeYAML.reset_defaults!
       end
 
       it "defaults to unsafe mode if the :safe option is omitted" do

data/spec/spec_helper.rb

@@ -11,6 +11,8 @@ if ENV["YAMLER"] && defined?(YAML::ENGINE)
 end
 
 require "safe_yaml"
+require "ostruct"
+require "hashie"
 require "heredoc_unindent"
 
-require File.join(HERE, "shared_specs")
+require File.join(HERE, "resolver_specs")

data/spec/syck_resolver_spec.rb

@@ -4,14 +4,7 @@ if SafeYAML::YAML_ENGINE == "syck"
   require "safe_yaml/syck_resolver"
 
   describe SafeYAML::SyckResolver do
+    include ResolverSpecs
     let(:resolver) { SafeYAML::SyckResolver.new }
-    let(:result) { @result }
-
-    def parse(yaml)
-      tree = YAML.parse(yaml.unindent)
-      @result = resolver.resolve_node(tree)
-    end
-
-    include SharedSpecs
   end
 end

data/spec/transform/to_symbol_spec.rb

@@ -1,44 +1,44 @@
 require File.join(File.dirname(__FILE__), "..", "spec_helper")
 
 describe SafeYAML::Transform::ToSymbol do
-  def with_symbol_parsing_value(value)
-    symbol_parsing_flag = YAML.enable_symbol_parsing?
-    SafeYAML::OPTIONS[:enable_symbol_parsing] = value
+  def with_symbol_deserialization_value(value)
+    symbol_deserialization_flag = SafeYAML::OPTIONS[:deserialize_symbols]
+    SafeYAML::OPTIONS[:deserialize_symbols] = value
 
     yield
 
   ensure
-    SafeYAML::OPTIONS[:enable_symbol_parsing] = symbol_parsing_flag
+    SafeYAML::OPTIONS[:deserialize_symbols] = symbol_deserialization_flag
   end
 
-  def with_symbol_parsing(&block)
-    with_symbol_parsing_value(true, &block)
+  def with_symbol_deserialization(&block)
+    with_symbol_deserialization_value(true, &block)
   end
 
-  def without_symbol_parsing(&block)
-    with_symbol_parsing_value(false, &block)
+  def without_symbol_deserialization(&block)
+    with_symbol_deserialization_value(false, &block)
   end
 
   it "returns true when the value matches a valid Symbol" do
-    with_symbol_parsing { subject.transform?(":foo")[0].should be_true }
+    with_symbol_deserialization { subject.transform?(":foo")[0].should be_true }
   end
 
-  it "returns false when symbol parsing is disabled" do
-    without_symbol_parsing { subject.transform?(":foo").should be_false }
+  it "returns false when symbol deserialization is disabled" do
+    without_symbol_deserialization { subject.transform?(":foo").should be_false }
   end
 
   it "returns false when the value does not match a valid Symbol" do
-    with_symbol_parsing { subject.transform?("foo").should be_false }
+    with_symbol_deserialization { subject.transform?("foo").should be_false }
   end
 
   it "returns false when the symbol does not begin the line" do
-    with_symbol_parsing do
+    with_symbol_deserialization do
       subject.transform?("NOT A SYMBOL\n:foo").should be_false
     end
   end
 
   it "returns false when the symbol does not end the line" do
-    with_symbol_parsing do
+    with_symbol_deserialization do
       subject.transform?(":foo\nNOT A SYMBOL").should be_false
     end
   end

metadata

@@ -1,23 +1,32 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: safe_yaml
-version: !ruby/object:Gem::Version
-  version: 0.7.1
+version: !ruby/object:Gem::Version 
+  hash: 63
   prerelease: 
+  segments: 
+  - 0
+  - 8
+  - 0
+  version: 0.8.0
 platform: ruby
-authors:
+authors: 
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-11 00:00:00.000000000 Z
+
+date: 2013-02-17 00:00:00 Z
 dependencies: []
-description: Parse YAML safely, without that pesky arbitrary object deserialization
-  vulnerability
+
+description: Parse YAML safely, without that pesky arbitrary object deserialization vulnerability
 email: daniel.tao@gmail.com
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - .gitignore
 - .travis.yml
 - Gemfile
@@ -25,7 +34,10 @@ files:
 - README.md
 - Rakefile
 - lib/safe_yaml.rb
-- lib/safe_yaml/psych_handler.rb
+- lib/safe_yaml/psych_resolver.rb
+- lib/safe_yaml/psych_visitor.rb
+- lib/safe_yaml/resolver.rb
+- lib/safe_yaml/syck_node_monkeypatch.rb
 - lib/safe_yaml/syck_resolver.rb
 - lib/safe_yaml/transform.rb
 - lib/safe_yaml/transform/to_boolean.rb
@@ -40,9 +52,9 @@ files:
 - safe_yaml.gemspec
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
-- spec/psych_handler_spec.rb
+- spec/psych_resolver_spec.rb
+- spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb
-- spec/shared_specs.rb
 - spec/spec_helper.rb
 - spec/support/exploitable_back_door.rb
 - spec/syck_resolver_spec.rb
@@ -52,37 +64,46 @@ files:
 - spec/transform/to_symbol_spec.rb
 - spec/transform/to_time_spec.rb
 homepage: http://dtao.github.com/safe_yaml/
-licenses:
+licenses: 
 - MIT
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - '>='
-    - !ruby/object:Gem::Version
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 57
+      segments: 
+      - 1
+      - 8
+      - 7
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
 rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
-summary: SameYAML provides an alternative implementation of YAML.load suitable for
-  accepting user input in Ruby applications.
-test_files:
+summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
+test_files: 
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
-- spec/psych_handler_spec.rb
+- spec/psych_resolver_spec.rb
+- spec/resolver_specs.rb
 - spec/safe_yaml_spec.rb
-- spec/shared_specs.rb
 - spec/spec_helper.rb
 - spec/support/exploitable_back_door.rb
 - spec/syck_resolver_spec.rb

data/lib/safe_yaml/psych_handler.rb

@@ -1,91 +0,0 @@
-require "psych"
-require "base64"
-
-module SafeYAML
-  class PsychHandler < Psych::Handler
-    def initialize
-      @anchors = {}
-      @stack = []
-      @current_key = nil
-      @result = nil
-    end
-
-    def result
-      @result
-    end
-
-    def add_to_current_structure(value, anchor=nil, quoted=nil, tag=nil)
-      value = Transform.to_proper_type(value, quoted, tag)
-
-      @anchors[anchor] = value if anchor
-
-      if @result.nil?
-        @result = value
-        @current_structure = @result
-        return
-      end
-
-      case @current_structure
-      when Array
-        @current_structure.push(value)
-
-      when Hash
-        if @current_key.nil?
-          @current_key = value
-
-        else
-          if @current_key == "<<"
-            @current_structure.merge!(value)
-          else
-            @current_structure[@current_key] = value
-          end
-
-          @current_key = nil
-        end
-
-      else
-        raise "Don't know how to add to a #{@current_structure.class}!"
-      end
-    end
-
-    def end_current_structure
-      @stack.pop
-      @current_structure = @stack.last
-    end
-
-    def streaming?
-      false
-    end
-
-    # event handlers
-    def alias(anchor)
-      add_to_current_structure(@anchors[anchor])
-    end
-
-    def scalar(value, anchor, tag, plain, quoted, style)
-      add_to_current_structure(value, anchor, quoted, tag)
-    end
-
-    def start_mapping(anchor, tag, implicit, style)
-      map = {}
-      self.add_to_current_structure(map, anchor)
-      @current_structure = map
-      @stack.push(map)
-    end
-
-    def end_mapping
-      self.end_current_structure()
-    end
-
-    def start_sequence(anchor, tag, implicit, style)
-      seq = []
-      self.add_to_current_structure(seq, anchor)
-      @current_structure = seq
-      @stack.push(seq)
-    end
-
-    def end_sequence
-      self.end_current_structure()
-    end
-  end
-end

data/spec/psych_handler_spec.rb

@@ -1,17 +0,0 @@
-require File.join(File.dirname(__FILE__), "spec_helper")
-
-if SafeYAML::YAML_ENGINE == "psych"
-  require "safe_yaml/psych_handler"
-
-  describe SafeYAML::PsychHandler do
-    let(:handler) { SafeYAML::PsychHandler.new }
-    let(:parser) { Psych::Parser.new(handler) }
-    let(:result) { handler.result }
-
-    def parse(yaml)
-      parser.parse(yaml.unindent)
-    end
-
-    include SharedSpecs
-  end
-end