safe_yaml 0.8.3 → 0.8.4

data/lib/safe_yaml.rb

@@ -1,11 +1,13 @@
 require "yaml"
+require "safe_yaml/parse/hexadecimal"
+require "safe_yaml/parse/sexagesimal"
+require "safe_yaml/parse/date"
 require "safe_yaml/transform/to_boolean"
 require "safe_yaml/transform/to_date"
 require "safe_yaml/transform/to_float"
 require "safe_yaml/transform/to_integer"
 require "safe_yaml/transform/to_nil"
 require "safe_yaml/transform/to_symbol"
-require "safe_yaml/transform/to_time"
 require "safe_yaml/transform"
 require "safe_yaml/resolver"
 
@@ -41,7 +43,12 @@ module SafeYAML
     end
 
   else
-    TRUSTED_TAGS = ["tag:yaml.org,2002:str"].freeze
+    TRUSTED_TAGS = [
+      "tag:yaml.org,2002:str",
+      "tag:yaml.org,2002:int",
+      "tag:yaml.org,2002:float#fix",
+      "tag:yaml.org,2002:timestamp#ymd"
+    ].freeze
 
     def tag_is_explicitly_trusted?(tag)
       TRUSTED_TAGS.include?(tag)

data/lib/safe_yaml/parse/date.rb

@@ -0,0 +1,27 @@
+module SafeYAML
+  class Parse
+    class Date
+      # This one's easy enough :)
+      DATE_MATCHER = /\A(\d{4})-(\d{2})-(\d{2})\Z/.freeze
+
+      # This unbelievable little gem is taken basically straight from the YAML spec, but made
+      # slightly more readable (to my poor eyes at least) to me:
+      # http://yaml.org/type/timestamp.html
+      TIME_MATCHER = /\A\d{4}-\d{1,2}-\d{1,2}(?:[Tt]|\s+)\d{1,2}:\d{2}:\d{2}(?:\.\d*)?\s*(?:Z|[-+]\d{1,2}(?::?\d{2})?)?\Z/.freeze
+
+      SECONDS_PER_DAY = 60 * 60 * 24
+      MICROSECONDS_PER_SECOND = 1000000
+
+      # So this is weird. In Ruby 1.8.7, the DateTime#sec_fraction method returned fractional
+      # seconds in units of DAYS for some reason. In 1.9.2, they changed the units -- much more
+      # reasonably -- to seconds.
+      SEC_FRACTION_MULTIPLIER = RUBY_VERSION == "1.8.7" ? (SECONDS_PER_DAY * MICROSECONDS_PER_SECOND) : MICROSECONDS_PER_SECOND
+
+      def self.value(value)
+        d = DateTime.parse(value)
+        usec = d.sec_fraction * SEC_FRACTION_MULTIPLIER
+        Time.utc(d.year, d.month, d.day, d.hour, d.min, d.sec, usec) - (d.offset * SECONDS_PER_DAY)
+      end
+    end
+  end
+end

data/lib/safe_yaml/parse/hexadecimal.rb

@@ -0,0 +1,12 @@
+module SafeYAML
+  class Parse
+    class Hexadecimal
+      MATCHER = /\A[-+]?0x[0-9a-fA-F_]+\Z/.freeze
+
+      def self.value(value)
+        # This is safe to do since we already validated the value.
+        return Integer(value.gsub(/_/, ""))
+      end
+    end
+  end
+end

data/lib/safe_yaml/parse/sexagesimal.rb

@@ -0,0 +1,26 @@
+module SafeYAML
+  class Parse
+    class Sexagesimal
+      INTEGER_MATCHER = /\A[-+]?[0-9][0-9_]*(:[0-5]?[0-9])+\Z/.freeze
+      FLOAT_MATCHER = /\A[-+]?[0-9][0-9_]*(:[0-5]?[0-9])+\.[0-9_]*\Z/.freeze
+
+      def self.value(value)
+        before_decimal, after_decimal = value.split(".")
+
+        whole_part = 0
+        multiplier = 1
+
+        before_decimal = before_decimal.split(":")
+        until before_decimal.empty?
+          whole_part += (Float(before_decimal.pop) * multiplier)
+          multiplier *= 60
+        end
+
+        result = whole_part
+        result += Float("." + after_decimal) unless after_decimal.nil?
+        result *= -1 if value[0] == "-"
+        result
+      end
+    end
+  end
+end

data/lib/safe_yaml/transform.rb

@@ -8,8 +8,7 @@ module SafeYAML
       Transform::ToFloat.new,
       Transform::ToNil.new,
       Transform::ToBoolean.new,
-      Transform::ToDate.new,
-      Transform::ToTime.new
+      Transform::ToDate.new
     ]
 
     def self.to_guessed_type(value, quoted=false)
@@ -28,7 +27,9 @@ module SafeYAML
     def self.to_proper_type(value, quoted=false, tag=nil)
       case tag
       when "tag:yaml.org,2002:binary", "x-private:binary", "!binary"
-        Base64.decode64(value)
+        decoded = Base64.decode64(value)
+        decoded = decoded.force_encoding(value.encoding) if decoded.respond_to?(:force_encoding)
+        decoded
       else
         self.to_guessed_type(value, quoted)
       end

data/lib/safe_yaml/transform/to_date.rb

@@ -1,12 +1,10 @@
 module SafeYAML
   class Transform
     class ToDate
-      MATCHER = /\A\d{4}\-\d{2}\-\d{2}\Z/.freeze
-
       def transform?(value)
-        return false unless MATCHER.match(value)
-        date = Date.parse(value) rescue nil
-        return !!date, date
+        return true, Date.parse(value) if Parse::Date::DATE_MATCHER.match(value)
+        return true, Parse::Date.value(value) if Parse::Date::TIME_MATCHER.match(value)
+        false
       end
     end
   end

data/lib/safe_yaml/transform/to_float.rb

@@ -1,11 +1,29 @@
 module SafeYAML
   class Transform
     class ToFloat
-      MATCHER = /\A\d*\.\d+\Z/.freeze
+      Infinity = 1.0 / 0.0
+      NaN = 0.0 / 0.0
+
+      PREDEFINED_VALUES = {
+        ".inf"  => Infinity,
+        ".Inf"  => Infinity,
+        ".INF"  => Infinity,
+        "-.inf" => -Infinity,
+        "-.Inf" => -Infinity,
+        "-.INF" => -Infinity,
+        ".nan"  => NaN,
+        ".NaN"  => NaN,
+        ".NAN"  => NaN,
+      }.freeze
 
       def transform?(value)
-        return false unless MATCHER.match(value)
-        return true, value.to_f
+        return true, Float(value) rescue try_edge_cases?(value)
+      end
+
+      def try_edge_cases?(value)
+        return true, PREDEFINED_VALUES[value] if PREDEFINED_VALUES.include?(value)
+        return true, Parse::Sexagesimal.value(value) if Parse::Sexagesimal::FLOAT_MATCHER.match(value)
+        return false
       end
     end
   end

data/lib/safe_yaml/transform/to_integer.rb

@@ -1,17 +1,14 @@
 module SafeYAML
   class Transform
     class ToInteger
-      OCTAL_MATCHER = /\A0[0-7]+\Z/.freeze
-      HEXADECIMAL_MATCHER = /\A0x[0-9a-f]+\Z/i.freeze
-      MATCHER = /\A[1-9]\d*\Z/.freeze
-
       def transform?(value)
-        if OCTAL_MATCHER.match(value) || HEXADECIMAL_MATCHER.match(value)
-          return true, Integer(value)
-        end
+        return true, Integer(value) rescue try_edge_cases?(value)
+      end
 
-        return false unless MATCHER.match(value)
-        return true, value.to_i
+      def try_edge_cases?(value)
+        return true, Parse::Hexadecimal.value(value) if Parse::Hexadecimal::MATCHER.match(value)
+        return true, Parse::Sexagesimal.value(value) if Parse::Sexagesimal::INTEGER_MATCHER.match(value)
+        return false
       end
     end
   end

data/lib/safe_yaml/transform/to_symbol.rb

@@ -1,11 +1,11 @@
 module SafeYAML
   class Transform
     class ToSymbol
-      MATCHER = /\A:\w+\Z/.freeze
+      MATCHER = /\A:"?(\w+)"?\Z/.freeze
 
       def transform?(value)
         return false unless SafeYAML::OPTIONS[:deserialize_symbols] && MATCHER.match(value)
-        return true, value[1..-1].to_sym
+        return true, $1.to_sym
       end
     end
   end

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.8.3"
+  VERSION = "0.8.4"
 end

data/spec/resolver_specs.rb

@@ -171,29 +171,20 @@ module ResolverSpecs
 
       # This does in fact appear to be a Ruby version thing as opposed to a YAML engine thing.
       context "for Ruby version #{RUBY_VERSION}" do
-        if RUBY_VERSION >= "1.9.2"
+        if RUBY_VERSION >= "1.8.7"
           it "translates valid time values" do
             parse "time: 2013-01-29 05:58:00 -0800"
-            result.should == { "time" => Time.new(2013, 1, 29, 5, 58, 0, "-08:00") }
+            result.should == { "time" => Time.utc(2013, 1, 29, 13, 58, 0) }
           end
 
           it "applies the same transformation to elements in sequences" do
             parse "- 2013-01-29 05:58:00 -0800"
-            result.should == [Time.new(2013, 1, 29, 5, 58, 0, "-08:00")]
+            result.should == [Time.utc(2013, 1, 29, 13, 58, 0)]
           end
 
-          # On Ruby 2.0.0-rc1, even YAML.load overflows the stack on this input.
-          if RUBY_VERSION != "2.0.0"
-            it "applies the same transformation to keys" do
-              parse "2013-01-29 05:58:00 -0800: time"
-              result.should == { Time.new(2013, 1, 29, 5, 58, 0, "-08:00") => "time" }
-            end
-          end
-
-        else
-          it "does not deserialize times" do
-            parse "time: 2013-01-29 05:58:00 -0800"
-            result.should == { "time" => "2013-01-29 05:58:00 -0800" }
+          it "applies the same transformation to keys" do
+            parse "2013-01-29 05:58:00 -0800: time"
+            result.should == { Time.utc(2013, 1, 29, 13, 58, 0) => "time" }
           end
         end
       end

data/spec/safe_yaml_spec.rb

@@ -362,11 +362,25 @@ describe YAML do
             --- !ruby/object:OpenStruct
             table:
               :backdoor:
-                foo: bar
+                string: foo
+                integer: 1
+                float: 3.14
+                symbol: :bar
+                date: 2013-02-20
+                array: []
+                hash: {}
           YAML
 
           result.should be_a(OpenStruct)
-          result.backdoor.should == { "foo" => "bar" }
+          result.backdoor.should == {
+            "string"  => "foo",
+            "integer" => 1,
+            "float"   => 3.14,
+            "symbol"  => :bar,
+            "date"    => Date.parse("2013-02-20"),
+            "array"   => [],
+            "hash"    => {}
+          }
         end
       end
     end

data/spec/spec_helper.rb

@@ -4,8 +4,8 @@ ROOT = File.join(HERE, "..") unless defined?(ROOT)
 $LOAD_PATH << File.join(ROOT, "lib")
 $LOAD_PATH << File.join(HERE, "support")
 
+require "yaml"
 if ENV["YAMLER"] && defined?(YAML::ENGINE)
-  require "yaml"
   YAML::ENGINE.yamler = ENV["YAMLER"]
   puts "Running specs in Ruby #{RUBY_VERSION} with '#{YAML::ENGINE.yamler}' YAML engine."
 end

data/spec/transform/base64_spec.rb

@@ -0,0 +1,11 @@
+require File.join(File.dirname(__FILE__), "..", "spec_helper")
+
+describe SafeYAML::Transform do
+  it "should return the same encoding when decoding Base64" do
+    value = "c3VyZS4="
+    decoded = SafeYAML::Transform.to_proper_type(value, false, "!binary")
+
+    decoded.should == "sure."
+    decoded.encoding.should == value.encoding if decoded.respond_to?(:encoding)
+  end
+end

data/spec/transform/to_date_spec.rb

@@ -2,7 +2,7 @@ require File.join(File.dirname(__FILE__), "..", "spec_helper")
 
 describe SafeYAML::Transform::ToDate do
   it "returns true when the value matches a valid Date" do
-    subject.transform?("2013-01-01")[0].should == true
+    subject.transform?("2013-01-01").should == [true, Date.parse("2013-01-01")]
   end
 
   it "returns false when the value does not match a valid Date" do
@@ -16,4 +16,19 @@ describe SafeYAML::Transform::ToDate do
   it "returns false when the value does not begin with a Date" do
     subject.transform?("NOT A DATE\n2013-01-01").should be_false
   end
+
+  it "correctly parses the remaining formats of the YAML spec" do
+    equivalent_values = [
+      "2001-12-15T02:59:43.1Z", # canonical
+      "2001-12-14t21:59:43.10-05:00", # iso8601
+      "2001-12-14 21:59:43.10 -5", # space separated
+      "2001-12-15 2:59:43.10" # no time zone (Z)
+    ]
+
+    equivalent_values.each do |value|
+      success, result = subject.transform?(value)
+      success.should be_true
+      result.should == Time.utc(2001, 12, 15, 2, 59, 43, 100000)
+    end
+  end
 end

data/spec/transform/to_float_spec.rb

@@ -2,7 +2,7 @@ require File.join(File.dirname(__FILE__), "..", "spec_helper")
 
 describe SafeYAML::Transform::ToFloat do
   it "returns true when the value matches a valid Float" do
-    subject.transform?("20.00").should be_true
+    subject.transform?("20.00").should == [true, 20.0]
   end
 
   it "returns false when the value does not match a valid Float" do
@@ -12,4 +12,26 @@ describe SafeYAML::Transform::ToFloat do
   it "returns false when the value spans multiple lines" do
     subject.transform?("20.00\nNOT A FLOAT").should be_false
   end
+
+  it "correctly parses all formats in the YAML spec" do
+    # canonical
+    subject.transform?("6.8523015e+5").should == [true, 685230.15]
+
+    # exponentioal
+    subject.transform?("685.230_15e+03").should == [true, 685230.15]
+
+    # fixed
+    subject.transform?("685_230.15").should == [true, 685230.15]
+
+    # sexagesimal
+    subject.transform?("190:20:30.15").should == [true, 685230.15]
+
+    # infinity
+    subject.transform?("-.inf").should == [true, (-1.0 / 0.0)]
+
+    # not a number
+    # NOTE: can't use == here since NaN != NaN
+    success, result = subject.transform?(".NaN")
+    success.should be_true; result.should be_nan
+  end
 end

data/spec/transform/to_integer_spec.rb

@@ -2,7 +2,7 @@ require File.join(File.dirname(__FILE__), "..", "spec_helper")
 
 describe SafeYAML::Transform::ToInteger do
   it "returns true when the value matches a valid Integer" do
-    subject.transform?("10").should be_true
+    subject.transform?("10").should == [true, 10]
   end
 
   it "returns false when the value does not match a valid Integer" do
@@ -28,4 +28,24 @@ describe SafeYAML::Transform::ToInteger do
   it "defaults to a string for a number that resembles hexadecimal format but is not" do
     subject.transform?("0x1G").should be_false
   end
+
+  it "correctly parses all formats in the YAML spec" do
+    # canonical
+    subject.transform?("685230").should == [true, 685230]
+
+    # decimal
+    subject.transform?("+685_230").should == [true, 685230]
+
+    # octal
+    subject.transform?("02472256").should == [true, 685230]
+    
+    # hexadecimal:
+    subject.transform?("0x_0A_74_AE").should == [true, 685230]
+
+    # binary
+    subject.transform?("0b1010_0111_0100_1010_1110").should == [true, 685230]
+
+    # sexagesimal
+    subject.transform?("190:20:30").should == [true, 685230]
+  end
 end

data/spec/transform/to_symbol_spec.rb

@@ -23,6 +23,10 @@ describe SafeYAML::Transform::ToSymbol do
     with_symbol_deserialization { subject.transform?(":foo")[0].should be_true }
   end
 
+  it "returns true when the value matches a valid String+Symbol" do
+    with_symbol_deserialization { subject.transform?(':"foo"')[0].should be_true }
+  end
+
   it "returns false when symbol deserialization is disabled" do
     without_symbol_deserialization { subject.transform?(":foo").should be_false }
   end

metadata

@@ -1,32 +1,23 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: safe_yaml
-version: !ruby/object:Gem::Version 
-  hash: 57
+version: !ruby/object:Gem::Version
+  version: 0.8.4
   prerelease: 
-  segments: 
-  - 0
-  - 8
-  - 3
-  version: 0.8.3
 platform: ruby
-authors: 
+authors:
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2013-02-20 00:00:00 Z
+date: 2013-02-26 00:00:00.000000000 Z
 dependencies: []
-
-description: Parse YAML safely, without that pesky arbitrary object deserialization vulnerability
+description: Parse YAML safely, without that pesky arbitrary object deserialization
+  vulnerability
 email: daniel.tao@gmail.com
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - .gitignore
 - .travis.yml
 - Gemfile
@@ -34,6 +25,9 @@ files:
 - README.md
 - Rakefile
 - lib/safe_yaml.rb
+- lib/safe_yaml/parse/date.rb
+- lib/safe_yaml/parse/hexadecimal.rb
+- lib/safe_yaml/parse/sexagesimal.rb
 - lib/safe_yaml/psych_resolver.rb
 - lib/safe_yaml/resolver.rb
 - lib/safe_yaml/safe_to_ruby_visitor.rb
@@ -46,7 +40,6 @@ files:
 - lib/safe_yaml/transform/to_integer.rb
 - lib/safe_yaml/transform/to_nil.rb
 - lib/safe_yaml/transform/to_symbol.rb
-- lib/safe_yaml/transform/to_time.rb
 - lib/safe_yaml/version.rb
 - run_specs_all_ruby_versions.sh
 - safe_yaml.gemspec
@@ -58,47 +51,38 @@ files:
 - spec/spec_helper.rb
 - spec/support/exploitable_back_door.rb
 - spec/syck_resolver_spec.rb
+- spec/transform/base64_spec.rb
 - spec/transform/to_date_spec.rb
 - spec/transform/to_float_spec.rb
 - spec/transform/to_integer_spec.rb
 - spec/transform/to_symbol_spec.rb
-- spec/transform/to_time_spec.rb
 homepage: http://dtao.github.com/safe_yaml/
-licenses: 
+licenses:
 - MIT
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 57
-      segments: 
-      - 1
-      - 8
-      - 7
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement 
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
 rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
-summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
-test_files: 
+summary: SameYAML provides an alternative implementation of YAML.load suitable for
+  accepting user input in Ruby applications.
+test_files:
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
 - spec/psych_resolver_spec.rb
@@ -107,8 +91,8 @@ test_files:
 - spec/spec_helper.rb
 - spec/support/exploitable_back_door.rb
 - spec/syck_resolver_spec.rb
+- spec/transform/base64_spec.rb
 - spec/transform/to_date_spec.rb
 - spec/transform/to_float_spec.rb
 - spec/transform/to_integer_spec.rb
 - spec/transform/to_symbol_spec.rb
-- spec/transform/to_time_spec.rb

data/lib/safe_yaml/transform/to_time.rb

@@ -1,18 +0,0 @@
-module SafeYAML
-  class Transform
-    class ToTime
-      # There isn't a missing '$' there; YAML itself seems to ignore everything at the end of a
-      # string that otherwise resembles a time.
-      MATCHER = /\A\d{4}\-\d{2}\-\d{2} \d{2}:\d{2}:\d{2}(?:\.\d{1,5})?/.freeze
-
-      def transform?(value)
-        return false unless MATCHER.match(value)
-        datetime = DateTime.parse(value) rescue nil
-        if datetime.respond_to?(:to_time)
-          return true, datetime.to_time
-        end
-        false
-      end
-    end
-  end
-end

data/spec/transform/to_time_spec.rb

@@ -1,18 +0,0 @@
-require File.join(File.dirname(__FILE__), "..", "spec_helper")
-
-describe SafeYAML::Transform::ToTime do
-  # It seems both Psych and Syck parse times starting w/ Ruby 1.9.2.
-  if RUBY_VERSION >= "1.9.2"
-    it "returns true when the value matches a valid Time" do
-      subject.transform?("2013-01-01 10:00:00")[0].should == true
-    end
-  end
-
-  it "returns false when the value does not match a valid Time" do
-    subject.transform?("not a time").should be_false
-  end
-
-  it "returns false when the beginning of a line does not match a Time" do
-    subject.transform?("NOT A TIME\n2013-01-01 10:00:00").should be_false
-  end
-end