RubyGems - safe_yaml - Versions diffs - 0.8.0 → 0.8.1 - Mend

safe_yaml 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

data/README.md +9 -0
data/lib/safe_yaml.rb +8 -7
data/lib/safe_yaml/psych_resolver.rb +1 -1
data/lib/safe_yaml/resolver.rb +14 -5
data/lib/safe_yaml/safe_to_ruby_visitor.rb +17 -0
data/lib/safe_yaml/syck_node_monkeypatch.rb +5 -1
data/lib/safe_yaml/version.rb +1 -1
data/spec/resolver_specs.rb +1 -1
data/spec/safe_yaml_spec.rb +52 -7
metadata +23 -41
data/lib/safe_yaml/psych_visitor.rb +0 -13

data/README.md CHANGED Viewed

@@ -133,6 +133,15 @@ EOYAML
     > YAML.safe_load(yaml)
     => #<OpenStruct :backdoor={"foo; end; puts %(I'm in yr system!); def bar"=>"baz"}>
+You may prefer, rather than quietly sanitizing and accepting YAML documents with unknown tags, to fail loudly when questionable data is encountered. In this case, you can also set the `:raise_on_unknown_tag` option to `true`:
+```ruby
+SafeYAML::OPTIONS[:raise_on_unknown_tag] = true
+```
+    > YAML.safe_load(yaml)
+    => RuntimeError: Unknown YAML tag '!ruby/hash:ExploitableClassBuilder'
 Pretty sweet, right?
 Known Issues

data/lib/safe_yaml.rb CHANGED Viewed

@@ -14,17 +14,18 @@ module SafeYAML
   YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
   DEFAULT_OPTIONS = {
-    :custom_initializers => {},
-    :default_mode        => nil,
-    :deserialize_symbols => false,
-    :whitelisted_tags    => []
+    :default_mode         => nil,
+    :deserialize_symbols  => false,
+    :whitelisted_tags     => [],
+    :custom_initializers  => {},
+    :raise_on_unknown_tag => false
   }.freeze
   OPTIONS = DEFAULT_OPTIONS.dup
   module_function
-  def reset_defaults!
-    OPTIONS.merge!(DEFAULT_OPTIONS)
+  def restore_defaults!
+    OPTIONS.clear.merge!(DEFAULT_OPTIONS)
   end
 end
@@ -43,7 +44,7 @@ module YAML
   end
   if SafeYAML::YAML_ENGINE == "psych"
-    require "safe_yaml/psych_visitor"
+    require "safe_yaml/safe_to_ruby_visitor"
     require "safe_yaml/psych_resolver"
     def self.safe_load(yaml, filename=nil)
       safe_resolver = SafeYAML::PsychResolver.new

data/lib/safe_yaml/psych_resolver.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module SafeYAML
     end
     def native_resolve(node)
-      @visitor ||= SafeYAML::PsychVisitor.new(self)
+      @visitor ||= SafeYAML::SafeToRubyVisitor.new(self)
       @visitor.accept(node)
     end

data/lib/safe_yaml/resolver.rb CHANGED Viewed

@@ -1,8 +1,9 @@
 module SafeYAML
   class Resolver
     def initialize
-      @whitelist    = SafeYAML::OPTIONS[:whitelisted_tags] || []
-      @initializers = SafeYAML::OPTIONS[:custom_initializers] || {}
+      @whitelist            = SafeYAML::OPTIONS[:whitelisted_tags] || []
+      @initializers         = SafeYAML::OPTIONS[:custom_initializers] || {}
+      @raise_on_unknown_tag = SafeYAML::OPTIONS[:raise_on_unknown_tag]
     end
     def resolve_node(node)
@@ -23,7 +24,7 @@ module SafeYAML
     end
     def resolve_map(node)
-      tag = self.get_node_tag(node)
+      tag = get_and_check_node_tag(node)
       return self.native_resolve(node) if tag_is_whitelisted?(tag)
       hash = @initializers.include?(tag) ? @initializers[tag].call : {}
@@ -47,14 +48,22 @@ module SafeYAML
     def resolve_seq(node)
       seq = self.get_node_value(node)
-      tag = get_node_tag(node)
+      tag = get_and_check_node_tag(node)
       arr = @initializers.include?(tag) ? @initializers[tag].call : []
       seq.inject(arr) { |array, node| array << resolve_node(node) }
     end
     def resolve_scalar(node)
-      Transform.to_proper_type(self.get_node_value(node), self.value_is_quoted?(node), self.get_node_tag(node))
+      Transform.to_proper_type(self.get_node_value(node), self.value_is_quoted?(node), get_and_check_node_tag(node))
+    end
+    def get_and_check_node_tag(node)
+      tag = self.get_node_tag(node)
+      if !!tag && @raise_on_unknown_tag && !tag_is_whitelisted?(tag)
+        raise "Unknown YAML tag '#{tag}'"
+      end
+      tag
     end
     def tag_is_whitelisted?(tag)

data/lib/safe_yaml/safe_to_ruby_visitor.rb ADDED Viewed

@@ -0,0 +1,17 @@
+module SafeYAML
+  class SafeToRubyVisitor < Psych::Visitors::ToRuby
+    def initialize(resolver)
+      super()
+      @resolver = resolver
+    end
+    def accept(node)
+      if node.tag
+        return super if @resolver.tag_is_whitelisted?(node.tag)
+        raise "Unknown YAML tag '#{node.tag}'" if SafeYAML::OPTIONS[:raise_on_unknown_tag]
+      end
+      @resolver.resolve_node(node)
+    end
+  end
+end

data/lib/safe_yaml/syck_node_monkeypatch.rb CHANGED Viewed

@@ -1,7 +1,11 @@
 monkeypatch = <<-EORUBY
   class Node
     def safe_transform
-      return unsafe_transform if SafeYAML::OPTIONS[:whitelisted_tags].include?(self.type_id)
+      if self.type_id
+        return unsafe_transform if SafeYAML::OPTIONS[:whitelisted_tags].include?(self.type_id)
+        raise "Unknown YAML tag '#{self.type_id}'" if SafeYAML::OPTIONS[:raise_on_unknown_tag]
+      end
       SafeYAML::SyckResolver.new.resolve_node(self)
     end

data/lib/safe_yaml/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.8.0"
+  VERSION = "0.8.1"
 end

data/spec/resolver_specs.rb CHANGED Viewed

@@ -204,7 +204,7 @@ module ResolverSpecs
         end
         after :each do
-          SafeYAML.reset_defaults!
+          SafeYAML.restore_defaults!
         end
         it "translates values starting with ':' to symbols" do

data/spec/safe_yaml_spec.rb CHANGED Viewed

@@ -43,7 +43,7 @@ describe YAML do
       end
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
       it "effectively ignores the whitelist (since everything is whitelisted)" do
@@ -256,7 +256,7 @@ describe YAML do
       end
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
       it "will use a custom initializer to instantiate an array-like class upon deserialization" do
@@ -289,10 +289,13 @@ describe YAML do
         else
           SafeYAML::OPTIONS[:whitelisted_tags] = ["tag:ruby.yaml.org,2002:object:OpenStruct"]
         end
+        # Necessary for deserializing OpenStructs properly.
+        SafeYAML::OPTIONS[:deserialize_symbols] = true
       end
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
       it "will allow objects to be deserialized for whitelisted tags" do
@@ -317,7 +320,49 @@ describe YAML do
         result.should be_a(OpenStruct)
         result.backdoor.should_not be_a(ExploitableBackDoor)
-        result.instance_variable_get(:@table).should == { ":backdoor" => { "foo" => "bar" } }
+        result.backdoor.should == { "foo" => "bar" }
+      end
+      context "with the :raise_on_unknown_tag option enabled" do
+        before :each do
+          SafeYAML::OPTIONS[:raise_on_unknown_tag] = true
+        end
+        after :each do
+          SafeYAML.restore_defaults!
+        end
+        it "raises an exception if a non-nil, non-whitelisted tag is encountered" do
+          lambda {
+            YAML.safe_load <<-YAML.unindent
+              --- !ruby/object:Unknown
+              foo: bar
+            YAML
+          }.should raise_error
+        end
+        it "checks all tags, even those within objects with trusted tags" do
+          lambda {
+            YAML.safe_load <<-YAML.unindent
+              --- !ruby/object:OpenStruct
+              table:
+                :backdoor: !ruby/object:Unknown
+                  foo: bar
+            YAML
+          }.should raise_error
+        end
+        it "does not raise an exception as long as all tags are whitelisted" do
+          result = YAML.safe_load <<-YAML.unindent
+            --- !ruby/object:OpenStruct
+            table:
+              :backdoor:
+                foo: bar
+          YAML
+          result.should be_a(OpenStruct)
+          result.backdoor.should == { "foo" => "bar" }
+        end
       end
     end
   end
@@ -366,7 +411,7 @@ describe YAML do
     context "as long as a :default_mode has been specified" do
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
       it "doesn't issue a warning for safe mode, since an explicit mode has been set" do
@@ -417,7 +462,7 @@ describe YAML do
       end
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
       it "defaults to unsafe mode if the :safe option is omitted" do
@@ -472,7 +517,7 @@ describe YAML do
       end
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
       it "defaults to unsafe mode if the :safe option is omitted" do

metadata CHANGED Viewed

@@ -1,32 +1,23 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: safe_yaml
-version: !ruby/object:Gem::Version
-  hash: 63
+version: !ruby/object:Gem::Version
+  version: 0.8.1
   prerelease:
-  segments:
-  - 0
-  - 8
-  - 0
-  version: 0.8.0
 platform: ruby
-authors:
+authors:
 - Dan Tao
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-02-17 00:00:00 Z
+date: 2013-02-17 00:00:00.000000000 Z
 dependencies: []
-description: Parse YAML safely, without that pesky arbitrary object deserialization vulnerability
+description: Parse YAML safely, without that pesky arbitrary object deserialization
+  vulnerability
 email: daniel.tao@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files:
+files:
 - .gitignore
 - .travis.yml
 - Gemfile
@@ -35,8 +26,8 @@ files:
 - Rakefile
 - lib/safe_yaml.rb
 - lib/safe_yaml/psych_resolver.rb
-- lib/safe_yaml/psych_visitor.rb
 - lib/safe_yaml/resolver.rb
+- lib/safe_yaml/safe_to_ruby_visitor.rb
 - lib/safe_yaml/syck_node_monkeypatch.rb
 - lib/safe_yaml/syck_resolver.rb
 - lib/safe_yaml/transform.rb
@@ -64,41 +55,32 @@ files:
 - spec/transform/to_symbol_spec.rb
 - spec/transform/to_time_spec.rb
 homepage: http://dtao.github.com/safe_yaml/
-licenses:
+licenses:
 - MIT
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 57
-      segments:
-      - 1
-      - 8
-      - 7
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      hash: 3
-      segments:
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.25
 signing_key:
 specification_version: 3
-summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
-test_files:
+summary: SameYAML provides an alternative implementation of YAML.load suitable for
+  accepting user input in Ruby applications.
+test_files:
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
 - spec/psych_resolver_spec.rb

data/lib/safe_yaml/psych_visitor.rb DELETED Viewed

@@ -1,13 +0,0 @@
-module SafeYAML
-  class PsychVisitor < Psych::Visitors::ToRuby
-    def initialize(resolver)
-      super()
-      @resolver = resolver
-    end
-    def accept(node)
-      return super if @resolver.tag_is_whitelisted?(@resolver.get_node_tag(node))
-      @resolver.resolve_node(node)
-    end
-  end
-end