safe_yaml 0.9.0 → 0.9.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 330f4d149692c82b643b6c1715ee580b7613d569
+  data.tar.gz: 71a3662c45376b5d247ea41f55dd8e60ee763307
+SHA512:
+  metadata.gz: d2827503520960753cf30adb7d7d10356a3cc35d1862304e1250a53471e33b7cbc4bb8aa483e39b612468a9c4aa2256b4b3d288bb7fdde0b2089732178ee2bcb
+  data.tar.gz: adfa5835e47678452d891289c74ef541845f3d5d77a68743ba7ab337fd4018cc052700ada3fedd3d4637241c7050198f60924df9b7a3ceb123f2896ff90b6660

data/.travis.yml

@@ -29,9 +29,6 @@ matrix:
     - rvm: ruby-head
     - rvm: rbx-19mode
     - rvm: rbx-18mode
-    - rvm: jruby-head
-    - rvm: jruby-19mode
-    - rvm: jruby-18mode
     - rvm: ree
 
   exclude:

data/lib/safe_yaml.rb

@@ -1,7 +1,15 @@
 require "yaml"
+
+# This needs to be defined up front in case any internal classes need to base
+# their behavior off of this.
+module SafeYAML
+  YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
+end
+
 require "safe_yaml/parse/hexadecimal"
 require "safe_yaml/parse/sexagesimal"
 require "safe_yaml/parse/date"
+require "safe_yaml/transform/transformation_map"
 require "safe_yaml/transform/to_boolean"
 require "safe_yaml/transform/to_date"
 require "safe_yaml/transform/to_float"
@@ -11,10 +19,10 @@ require "safe_yaml/transform/to_symbol"
 require "safe_yaml/transform"
 require "safe_yaml/resolver"
 require "safe_yaml/deep"
+require "safe_yaml/syck_hack" if defined?(JRUBY_VERSION)
 
 module SafeYAML
   MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1
-  YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
 
   DEFAULT_OPTIONS = Deep.freeze({
     :default_mode         => nil,
@@ -33,7 +41,7 @@ module SafeYAML
   end
 
   def tag_safety_check!(tag, options)
-    return if tag.nil?
+    return if tag.nil? || tag == "!"
     if options[:raise_on_unknown_tag] && !options[:whitelisted_tags].include?(tag) && !tag_is_explicitly_trusted?(tag)
       raise "Unknown YAML tag '#{tag}'"
     end

data/lib/safe_yaml/syck_hack.rb

@@ -0,0 +1,36 @@
+# Hack to JRuby 1.8's YAML Parser Yecht
+#
+# This file is always loaded AFTER either syck or psych are already
+# loaded. It then looks at what constants are available and creates
+# a consistent view on all rubys.
+#
+# Taken from rubygems and modified.
+# See https://github.com/rubygems/rubygems/blob/master/lib/rubygems/syck_hack.rb
+
+module YAML
+  # In newer 1.9.2, there is a Syck toplevel constant instead of it
+  # being underneith YAML. If so, reference it back under YAML as
+  # well.
+  if defined? ::Syck
+    # for tests that change YAML::ENGINE
+    # 1.8 does not support the second argument to const_defined?
+    remove_const :Syck rescue nil
+
+    Syck = ::Syck
+
+  # JRuby's "Syck" is called "Yecht"
+  elsif defined? YAML::Yecht
+    Syck = YAML::Yecht
+  end
+end
+
+# Sometime in the 1.9 dev cycle, the Syck constant was moved from under YAML
+# to be a toplevel constant. So gemspecs created under these versions of Syck
+# will have references to Syck::DefaultKey.
+#
+# So we need to be sure that we reference Syck at the toplevel too so that
+# we can always load these kind of gemspecs.
+#
+if !defined?(Syck)
+  Syck = YAML::Syck
+end

data/lib/safe_yaml/transform/to_boolean.rb

@@ -1,18 +1,20 @@
 module SafeYAML
   class Transform
     class ToBoolean
-      PREDEFINED_VALUES = {
+      include TransformationMap
+
+      set_predefined_values({
         "yes"   => true,
         "on"    => true,
         "true"  => true,
         "no"    => false,
         "off"   => false,
         "false" => false
-      }.freeze
+      })
 
       def transform?(value)
-        key = value.downcase
-        return PREDEFINED_VALUES.include?(key), PREDEFINED_VALUES[key]
+        return false if value.length > 5
+        return PREDEFINED_VALUES.include?(value), PREDEFINED_VALUES[value]
       end
     end
   end

data/lib/safe_yaml/transform/to_nil.rb

@@ -1,15 +1,17 @@
 module SafeYAML
   class Transform
     class ToNil
-      PREDEFINED_VALUES = {
+      include TransformationMap
+
+      set_predefined_values({
         ""      => nil,
         "~"     => nil,
         "null"  => nil,
-      }.freeze
+      })
 
       def transform?(value)
-        key = value.downcase
-        return PREDEFINED_VALUES.include?(key), PREDEFINED_VALUES[key]
+        return false if value.length > 4
+        return PREDEFINED_VALUES.include?(value), PREDEFINED_VALUES[value]
       end
     end
   end

data/lib/safe_yaml/transform/transformation_map.rb

@@ -0,0 +1,47 @@
+module SafeYAML
+  class Transform
+    module TransformationMap
+      def self.included(base)
+        base.extend(ClassMethods)
+      end
+
+      class CaseAgnosticMap < Hash
+        def initialize(*args)
+          super
+        end
+
+        def include?(key)
+          super(key.downcase)
+        end
+
+        def [](key)
+          super(key.downcase)
+        end
+
+        # OK, I actually don't think it's all that important that this map be
+        # frozen.
+        def freeze
+          self
+        end
+      end
+
+      module ClassMethods
+        def set_predefined_values(predefined_values)
+          if SafeYAML::YAML_ENGINE == "syck"
+            expanded_map = predefined_values.inject({}) do |hash, (key, value)|
+              hash[key] = value
+              hash[key.capitalize] = value
+              hash[key.upcase] = value
+              hash
+            end
+          else
+            expanded_map = CaseAgnosticMap.new
+            expanded_map.merge!(predefined_values)
+          end
+
+          self.const_set(:PREDEFINED_VALUES, expanded_map.freeze)
+        end
+      end
+    end
+  end
+end

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "0.9.0"
+  VERSION = "0.9.1"
 end

data/spec/resolver_specs.rb

@@ -9,6 +9,12 @@ module ResolverSpecs
         @result = resolver.resolve_node(tree)
       end
 
+      # Isn't this how I should've been doing it all along?
+      def parse_and_test(yaml)
+        parse(yaml)
+        @result.should == YAML.unsafe_load(yaml)
+      end
+
       context "by default" do
         it "translates maps to hashes" do
           parse <<-YAML
@@ -78,6 +84,35 @@ module ResolverSpecs
           result.should == [nil] * 3
         end
 
+        it "matches the behavior of the underlying YAML engine w/ respect to capitalization of boolean values" do
+          parse_and_test <<-YAML
+            - true
+            - True
+            - TRUE
+            - tRue
+            - TRue
+            - False
+            - FALSE
+            - fAlse
+            - FALse
+          YAML
+
+          # using Syck: [true, true, true, "tRue", "TRue", false, false, "fAlse", "FALse"]
+          # using Psych: all booleans
+        end
+
+        it "matches the behavior of the underlying YAML engine w/ respect to capitalization of nil values" do
+          parse_and_test <<-YAML
+            - Null
+            - NULL
+            - nUll
+            - NUll
+          YAML
+
+          # using Syck: [nil, nil, "nUll", "NUll"]
+          # using Psych: all nils
+        end
+
         it "translates quoted empty strings to strings (not nil)" do
           parse "foo: ''"
           result.should == { "foo" => "" }

data/spec/safe_yaml_spec.rb

@@ -384,6 +384,12 @@ describe YAML do
             "hash"    => {}
           }
         end
+
+        it "does not raise an exception on the non-specific '!' tag" do
+          result = nil
+          expect { result = YAML.safe_load "--- ! 'foo'" }.to_not raise_error
+          result.should == "foo"
+        end
       end
     end
 

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_yaml
 version: !ruby/object:Gem::Version
-  version: 0.9.0
-  prerelease: 
+  version: 0.9.1
 platform: ruby
 authors:
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-23 00:00:00.000000000 Z
+date: 2013-04-19 00:00:00.000000000 Z
 dependencies: []
 description: Parse YAML safely, without that pesky arbitrary object deserialization
   vulnerability
@@ -33,6 +32,7 @@ files:
 - lib/safe_yaml/psych_resolver.rb
 - lib/safe_yaml/resolver.rb
 - lib/safe_yaml/safe_to_ruby_visitor.rb
+- lib/safe_yaml/syck_hack.rb
 - lib/safe_yaml/syck_node_monkeypatch.rb
 - lib/safe_yaml/syck_resolver.rb
 - lib/safe_yaml/transform.rb
@@ -42,6 +42,7 @@ files:
 - lib/safe_yaml/transform/to_integer.rb
 - lib/safe_yaml/transform/to_nil.rb
 - lib/safe_yaml/transform/to_symbol.rb
+- lib/safe_yaml/transform/transformation_map.rb
 - lib/safe_yaml/version.rb
 - run_specs_all_ruby_versions.sh
 - safe_yaml.gemspec
@@ -61,27 +62,26 @@ files:
 homepage: http://dtao.github.com/safe_yaml/
 licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: 1.8.7
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.25
+rubygems_version: 2.0.3
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: SameYAML provides an alternative implementation of YAML.load suitable for
   accepting user input in Ruby applications.
 test_files: