safe_yaml 0.8.0 → 0.8.1

data/README.md

@@ -133,6 +133,15 @@ EOYAML
     > YAML.safe_load(yaml)
     => #<OpenStruct :backdoor={"foo; end; puts %(I'm in yr system!); def bar"=>"baz"}>
 
+You may prefer, rather than quietly sanitizing and accepting YAML documents with unknown tags, to fail loudly when questionable data is encountered. In this case, you can also set the `:raise_on_unknown_tag` option to `true`:
+
+```ruby
+SafeYAML::OPTIONS[:raise_on_unknown_tag] = true
+```
+
+    > YAML.safe_load(yaml)
+    => RuntimeError: Unknown YAML tag '!ruby/hash:ExploitableClassBuilder'
+
 Pretty sweet, right?
 
 Known Issues

data/lib/safe_yaml.rb

@@ -14,17 +14,18 @@ module SafeYAML
   YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
 
   DEFAULT_OPTIONS = {
-    :custom_initializers => {},
-    :default_mode        => nil,
-    :deserialize_symbols => false,
-    :whitelisted_tags    => []
+    :default_mode         => nil,
+    :deserialize_symbols  => false,
+    :whitelisted_tags     => [],
+    :custom_initializers  => {},
+    :raise_on_unknown_tag => false
   }.freeze
 
   OPTIONS = DEFAULT_OPTIONS.dup
 
   module_function
-  def reset_defaults!
-    OPTIONS.merge!(DEFAULT_OPTIONS)
+  def restore_defaults!
+    OPTIONS.clear.merge!(DEFAULT_OPTIONS)
   end
 end
 
@@ -43,7 +44,7 @@ module YAML
   end
 
   if SafeYAML::YAML_ENGINE == "psych"
-    require "safe_yaml/psych_visitor"
+    require "safe_yaml/safe_to_ruby_visitor"
     require "safe_yaml/psych_resolver"
     def self.safe_load(yaml, filename=nil)
       safe_resolver = SafeYAML::PsychResolver.new

data/lib/safe_yaml/psych_resolver.rb

@@ -22,7 +22,7 @@ module SafeYAML
     end
 
     def native_resolve(node)
-      @visitor ||= SafeYAML::PsychVisitor.new(self)
+      @visitor ||= SafeYAML::SafeToRubyVisitor.new(self)
       @visitor.accept(node)
     end
 

data/lib/safe_yaml/resolver.rb

@@ -1,8 +1,9 @@
 module SafeYAML
   class Resolver
     def initialize
-      @whitelist    = SafeYAML::OPTIONS[:whitelisted_tags] || []
-      @initializers = SafeYAML::OPTIONS[:custom_initializers] || {}
+      @whitelist            = SafeYAML::OPTIONS[:whitelisted_tags] || []
+      @initializers         = SafeYAML::OPTIONS[:custom_initializers] || {}
+      @raise_on_unknown_tag = SafeYAML::OPTIONS[:raise_on_unknown_tag]
     end
 
     def resolve_node(node)
@@ -23,7 +24,7 @@ module SafeYAML
     end
 
     def resolve_map(node)
-      tag = self.get_node_tag(node)
+      tag = get_and_check_node_tag(node)
       return self.native_resolve(node) if tag_is_whitelisted?(tag)
 
       hash = @initializers.include?(tag) ? @initializers[tag].call : {}
@@ -47,14 +48,22 @@ module SafeYAML
     def resolve_seq(node)
       seq = self.get_node_value(node)
 
-      tag = get_node_tag(node)
+      tag = get_and_check_node_tag(node)
       arr = @initializers.include?(tag) ? @initializers[tag].call : []
 
       seq.inject(arr) { |array, node| array << resolve_node(node) }
     end
 
     def resolve_scalar(node)
-      Transform.to_proper_type(self.get_node_value(node), self.value_is_quoted?(node), self.get_node_tag(node))
+      Transform.to_proper_type(self.get_node_value(node), self.value_is_quoted?(node), get_and_check_node_tag(node))
+    end
+
+    def get_and_check_node_tag(node)
+      tag = self.get_node_tag(node)
+      if !!tag && @raise_on_unknown_tag && !tag_is_whitelisted?(tag)
+        raise "Unknown YAML tag '#{tag}'"
+      end
+      tag
     end
 
     def tag_is_whitelisted?(tag)

data/lib/safe_yaml/safe_to_ruby_visitor.rb

@@ -0,0 +1,17 @@
+module SafeYAML
+  class SafeToRubyVisitor < Psych::Visitors::ToRuby
+    def initialize(resolver)
+      super()
+      @resolver = resolver
+    end
+
+    def accept(node)
+      if node.tag
+        return super if @resolver.tag_is_whitelisted?(node.tag)
+        raise "Unknown YAML tag '#{node.tag}'" if SafeYAML::OPTIONS[:raise_on_unknown_tag]
+      end
+
+      @resolver.resolve_node(node)
+    end
+  end
+end

data/lib/safe_yaml/syck_node_monkeypatch.rb

@@ -1,7 +1,11 @@
 monkeypatch = <<-EORUBY
   class Node
     def safe_transform
-      return unsafe_transform if SafeYAML::OPTIONS[:whitelisted_tags].include?(self.type_id)
+      if self.type_id
+        return unsafe_transform if SafeYAML::OPTIONS[:whitelisted_tags].include?(self.type_id)
+        raise "Unknown YAML tag '#{self.type_id}'" if SafeYAML::OPTIONS[:raise_on_unknown_tag]
+      end
+
       SafeYAML::SyckResolver.new.resolve_node(self)
     end
 

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.8.0"
+  VERSION = "0.8.1"
 end

data/spec/resolver_specs.rb

@@ -204,7 +204,7 @@ module ResolverSpecs
         end
 
         after :each do
-          SafeYAML.reset_defaults!
+          SafeYAML.restore_defaults!
         end
 
         it "translates values starting with ':' to symbols" do

data/spec/safe_yaml_spec.rb

@@ -43,7 +43,7 @@ describe YAML do
       end
 
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
 
       it "effectively ignores the whitelist (since everything is whitelisted)" do
@@ -256,7 +256,7 @@ describe YAML do
       end
 
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
 
       it "will use a custom initializer to instantiate an array-like class upon deserialization" do
@@ -289,10 +289,13 @@ describe YAML do
         else
           SafeYAML::OPTIONS[:whitelisted_tags] = ["tag:ruby.yaml.org,2002:object:OpenStruct"]
         end
+
+        # Necessary for deserializing OpenStructs properly.
+        SafeYAML::OPTIONS[:deserialize_symbols] = true
       end
 
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
 
       it "will allow objects to be deserialized for whitelisted tags" do
@@ -317,7 +320,49 @@ describe YAML do
 
         result.should be_a(OpenStruct)
         result.backdoor.should_not be_a(ExploitableBackDoor)
-        result.instance_variable_get(:@table).should == { ":backdoor" => { "foo" => "bar" } }
+        result.backdoor.should == { "foo" => "bar" }
+      end
+
+      context "with the :raise_on_unknown_tag option enabled" do
+        before :each do
+          SafeYAML::OPTIONS[:raise_on_unknown_tag] = true
+        end
+
+        after :each do
+          SafeYAML.restore_defaults!
+        end
+
+        it "raises an exception if a non-nil, non-whitelisted tag is encountered" do
+          lambda {
+            YAML.safe_load <<-YAML.unindent
+              --- !ruby/object:Unknown
+              foo: bar
+            YAML
+          }.should raise_error
+        end
+
+        it "checks all tags, even those within objects with trusted tags" do
+          lambda {
+            YAML.safe_load <<-YAML.unindent
+              --- !ruby/object:OpenStruct
+              table:
+                :backdoor: !ruby/object:Unknown
+                  foo: bar
+            YAML
+          }.should raise_error
+        end
+
+        it "does not raise an exception as long as all tags are whitelisted" do
+          result = YAML.safe_load <<-YAML.unindent
+            --- !ruby/object:OpenStruct
+            table:
+              :backdoor:
+                foo: bar
+          YAML
+
+          result.should be_a(OpenStruct)
+          result.backdoor.should == { "foo" => "bar" }
+        end
       end
     end
   end
@@ -366,7 +411,7 @@ describe YAML do
 
     context "as long as a :default_mode has been specified" do
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
 
       it "doesn't issue a warning for safe mode, since an explicit mode has been set" do
@@ -417,7 +462,7 @@ describe YAML do
       end
 
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
 
       it "defaults to unsafe mode if the :safe option is omitted" do
@@ -472,7 +517,7 @@ describe YAML do
       end
 
       after :each do
-        SafeYAML.reset_defaults!
+        SafeYAML.restore_defaults!
       end
 
       it "defaults to unsafe mode if the :safe option is omitted" do

metadata

@@ -1,32 +1,23 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: safe_yaml
-version: !ruby/object:Gem::Version 
-  hash: 63
+version: !ruby/object:Gem::Version
+  version: 0.8.1
   prerelease: 
-  segments: 
-  - 0
-  - 8
-  - 0
-  version: 0.8.0
 platform: ruby
-authors: 
+authors:
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2013-02-17 00:00:00 Z
+date: 2013-02-17 00:00:00.000000000 Z
 dependencies: []
-
-description: Parse YAML safely, without that pesky arbitrary object deserialization vulnerability
+description: Parse YAML safely, without that pesky arbitrary object deserialization
+  vulnerability
 email: daniel.tao@gmail.com
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - .gitignore
 - .travis.yml
 - Gemfile
@@ -35,8 +26,8 @@ files:
 - Rakefile
 - lib/safe_yaml.rb
 - lib/safe_yaml/psych_resolver.rb
-- lib/safe_yaml/psych_visitor.rb
 - lib/safe_yaml/resolver.rb
+- lib/safe_yaml/safe_to_ruby_visitor.rb
 - lib/safe_yaml/syck_node_monkeypatch.rb
 - lib/safe_yaml/syck_resolver.rb
 - lib/safe_yaml/transform.rb
@@ -64,41 +55,32 @@ files:
 - spec/transform/to_symbol_spec.rb
 - spec/transform/to_time_spec.rb
 homepage: http://dtao.github.com/safe_yaml/
-licenses: 
+licenses:
 - MIT
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 57
-      segments: 
-      - 1
-      - 8
-      - 7
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement 
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
 rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
-summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
-test_files: 
+summary: SameYAML provides an alternative implementation of YAML.load suitable for
+  accepting user input in Ruby applications.
+test_files:
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
 - spec/psych_resolver_spec.rb

data/lib/safe_yaml/psych_visitor.rb

@@ -1,13 +0,0 @@
-module SafeYAML
-  class PsychVisitor < Psych::Visitors::ToRuby
-    def initialize(resolver)
-      super()
-      @resolver = resolver
-    end
-
-    def accept(node)
-      return super if @resolver.tag_is_whitelisted?(@resolver.get_node_tag(node))
-      @resolver.resolve_node(node)
-    end
-  end
-end