safe_yaml 0.8.4 → 0.8.5

Sign up to get free protection for your applications and to get access to all the features.
data/lib/safe_yaml.rb CHANGED
@@ -17,6 +17,7 @@ module SafeYAML
17
17
 
18
18
  DEFAULT_OPTIONS = {
19
19
  :default_mode => nil,
20
+ :suppress_warnings => false,
20
21
  :deserialize_symbols => false,
21
22
  :whitelisted_tags => [],
22
23
  :custom_initializers => {},
@@ -156,7 +157,10 @@ module YAML
156
157
  def safe_mode_from_options(method, options={})
157
158
  if options[:safe].nil?
158
159
  safe_mode = SafeYAML::OPTIONS[:default_mode] || :safe
159
- Kernel.warn "Called '#{method}' without the :safe option -- defaulting to #{safe_mode} mode." if SafeYAML::OPTIONS[:default_mode].nil?
160
+ if SafeYAML::OPTIONS[:default_mode].nil? && !SafeYAML::OPTIONS[:suppress_warnings]
161
+ Kernel.warn "Called '#{method}' without the :safe option -- defaulting to #{safe_mode} mode."
162
+ SafeYAML::OPTIONS[:suppress_warnings] = true
163
+ end
160
164
  return safe_mode
161
165
  end
162
166
 
@@ -16,8 +16,11 @@ module SafeYAML
16
16
  ".NAN" => NaN,
17
17
  }.freeze
18
18
 
19
+ MATCHER = /\A[-+]?(?:\d[\d_]*)?\.[\d_]*(?:[eE][-+][\d]+)?\Z/.freeze
20
+
19
21
  def transform?(value)
20
- return true, Float(value) rescue try_edge_cases?(value)
22
+ return true, Float(value) if MATCHER.match(value)
23
+ try_edge_cases?(value)
21
24
  end
22
25
 
23
26
  def try_edge_cases?(value)
@@ -1,8 +1,18 @@
1
1
  module SafeYAML
2
2
  class Transform
3
3
  class ToInteger
4
+ MATCHERS = [
5
+ /\A[-+]?[1-9][0-9_]*\Z/.freeze, # decimal
6
+ /\A0[0-7]+\Z/.freeze, # octal
7
+ /\A0x[0-9a-f]+\Z/i.freeze, # hexadecimal
8
+ /\A0b[01_]+\Z/.freeze # binary
9
+ ].freeze
10
+
4
11
  def transform?(value)
5
- return true, Integer(value) rescue try_edge_cases?(value)
12
+ MATCHERS.each do |matcher|
13
+ return true, Integer(value) if matcher.match(value)
14
+ end
15
+ try_edge_cases?(value)
6
16
  end
7
17
 
8
18
  def try_edge_cases?(value)
@@ -1,3 +1,3 @@
1
1
  module SafeYAML
2
- VERSION = "0.8.4"
2
+ VERSION = "0.8.5"
3
3
  end
@@ -182,9 +182,12 @@ module ResolverSpecs
182
182
  result.should == [Time.utc(2013, 1, 29, 13, 58, 0)]
183
183
  end
184
184
 
185
- it "applies the same transformation to keys" do
186
- parse "2013-01-29 05:58:00 -0800: time"
187
- result.should == { Time.utc(2013, 1, 29, 13, 58, 0) => "time" }
185
+ # On Ruby 2.0.0-rc1, even YAML.load overflows the stack on this input.
186
+ if RUBY_VERSION != "2.0.0"
187
+ it "applies the same transformation to keys" do
188
+ parse "2013-01-29 05:58:00 -0800: time"
189
+ result.should == { Time.utc(2013, 1, 29, 13, 58, 0) => "time" }
190
+ end
188
191
  end
189
192
  end
190
193
  end
@@ -12,7 +12,7 @@ describe YAML do
12
12
  end
13
13
 
14
14
  before :each do
15
- SafeYAML::OPTIONS[:deserialize_symbols] = false
15
+ SafeYAML.restore_defaults!
16
16
  end
17
17
 
18
18
  describe "unsafe_load" do
@@ -42,10 +42,6 @@ describe YAML do
42
42
  end
43
43
  end
44
44
 
45
- after :each do
46
- SafeYAML.restore_defaults!
47
- end
48
-
49
45
  it "effectively ignores the whitelist (since everything is whitelisted)" do
50
46
  result = YAML.unsafe_load <<-YAML.unindent
51
47
  --- !ruby/object:OpenStruct
@@ -260,10 +256,6 @@ describe YAML do
260
256
  end
261
257
  end
262
258
 
263
- after :each do
264
- SafeYAML.restore_defaults!
265
- end
266
-
267
259
  it "will use a custom initializer to instantiate an array-like class upon deserialization" do
268
260
  result = YAML.safe_load <<-YAML.unindent
269
261
  --- !set
@@ -299,10 +291,6 @@ describe YAML do
299
291
  SafeYAML::OPTIONS[:deserialize_symbols] = true
300
292
  end
301
293
 
302
- after :each do
303
- SafeYAML.restore_defaults!
304
- end
305
-
306
294
  it "will allow objects to be deserialized for whitelisted tags" do
307
295
  result = YAML.safe_load("--- !ruby/object:OpenStruct\ntable:\n foo: bar\n")
308
296
  result.should be_a(OpenStruct)
@@ -429,10 +417,6 @@ describe YAML do
429
417
  }
430
418
 
431
419
  context "as long as a :default_mode has been specified" do
432
- after :each do
433
- SafeYAML.restore_defaults!
434
- end
435
-
436
420
  it "doesn't issue a warning for safe mode, since an explicit mode has been set" do
437
421
  SafeYAML::OPTIONS[:default_mode] = :safe
438
422
  Kernel.should_not_receive(:warn)
@@ -453,6 +437,13 @@ describe YAML do
453
437
  end
454
438
  end
455
439
 
440
+ it "only issues a warning once (to avoid spamming an app's output)" do
441
+ silence_warnings do
442
+ Kernel.should_receive(:warn).once
443
+ 2.times { YAML.load(*arguments) }
444
+ end
445
+ end
446
+
456
447
  it "doesn't issue a warning as long as the :safe option is specified" do
457
448
  Kernel.should_not_receive(:warn)
458
449
  YAML.load(*(arguments + [{:safe => true}]))
@@ -480,10 +471,6 @@ describe YAML do
480
471
  SafeYAML::OPTIONS[:default_mode] = :unsafe
481
472
  end
482
473
 
483
- after :each do
484
- SafeYAML.restore_defaults!
485
- end
486
-
487
474
  it "defaults to unsafe mode if the :safe option is omitted" do
488
475
  silence_warnings do
489
476
  YAML.should_receive(:unsafe_load).with(*arguments)
@@ -535,10 +522,6 @@ describe YAML do
535
522
  SafeYAML::OPTIONS[:default_mode] = :unsafe
536
523
  end
537
524
 
538
- after :each do
539
- SafeYAML.restore_defaults!
540
- end
541
-
542
525
  it "defaults to unsafe mode if the :safe option is omitted" do
543
526
  silence_warnings do
544
527
  YAML.should_receive(:unsafe_load_file).with(filename)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: safe_yaml
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.8.4
4
+ version: 0.8.5
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-02-26 00:00:00.000000000 Z
12
+ date: 2013-03-11 00:00:00.000000000 Z
13
13
  dependencies: []
14
14
  description: Parse YAML safely, without that pesky arbitrary object deserialization
15
15
  vulnerability