safe_yaml 0.9.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.travis.yml +0 -3
- data/lib/safe_yaml.rb +10 -2
- data/lib/safe_yaml/syck_hack.rb +36 -0
- data/lib/safe_yaml/transform/to_boolean.rb +6 -4
- data/lib/safe_yaml/transform/to_nil.rb +6 -4
- data/lib/safe_yaml/transform/transformation_map.rb +47 -0
- data/lib/safe_yaml/version.rb +1 -1
- data/spec/resolver_specs.rb +35 -0
- data/spec/safe_yaml_spec.rb +6 -0
- metadata +9 -9
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 330f4d149692c82b643b6c1715ee580b7613d569
|
4
|
+
data.tar.gz: 71a3662c45376b5d247ea41f55dd8e60ee763307
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: d2827503520960753cf30adb7d7d10356a3cc35d1862304e1250a53471e33b7cbc4bb8aa483e39b612468a9c4aa2256b4b3d288bb7fdde0b2089732178ee2bcb
|
7
|
+
data.tar.gz: adfa5835e47678452d891289c74ef541845f3d5d77a68743ba7ab337fd4018cc052700ada3fedd3d4637241c7050198f60924df9b7a3ceb123f2896ff90b6660
|
data/.travis.yml
CHANGED
data/lib/safe_yaml.rb
CHANGED
@@ -1,7 +1,15 @@
|
|
1
1
|
require "yaml"
|
2
|
+
|
3
|
+
# This needs to be defined up front in case any internal classes need to base
|
4
|
+
# their behavior off of this.
|
5
|
+
module SafeYAML
|
6
|
+
YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
|
7
|
+
end
|
8
|
+
|
2
9
|
require "safe_yaml/parse/hexadecimal"
|
3
10
|
require "safe_yaml/parse/sexagesimal"
|
4
11
|
require "safe_yaml/parse/date"
|
12
|
+
require "safe_yaml/transform/transformation_map"
|
5
13
|
require "safe_yaml/transform/to_boolean"
|
6
14
|
require "safe_yaml/transform/to_date"
|
7
15
|
require "safe_yaml/transform/to_float"
|
@@ -11,10 +19,10 @@ require "safe_yaml/transform/to_symbol"
|
|
11
19
|
require "safe_yaml/transform"
|
12
20
|
require "safe_yaml/resolver"
|
13
21
|
require "safe_yaml/deep"
|
22
|
+
require "safe_yaml/syck_hack" if defined?(JRUBY_VERSION)
|
14
23
|
|
15
24
|
module SafeYAML
|
16
25
|
MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1
|
17
|
-
YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck"
|
18
26
|
|
19
27
|
DEFAULT_OPTIONS = Deep.freeze({
|
20
28
|
:default_mode => nil,
|
@@ -33,7 +41,7 @@ module SafeYAML
|
|
33
41
|
end
|
34
42
|
|
35
43
|
def tag_safety_check!(tag, options)
|
36
|
-
return if tag.nil?
|
44
|
+
return if tag.nil? || tag == "!"
|
37
45
|
if options[:raise_on_unknown_tag] && !options[:whitelisted_tags].include?(tag) && !tag_is_explicitly_trusted?(tag)
|
38
46
|
raise "Unknown YAML tag '#{tag}'"
|
39
47
|
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# Hack to JRuby 1.8's YAML Parser Yecht
|
2
|
+
#
|
3
|
+
# This file is always loaded AFTER either syck or psych are already
|
4
|
+
# loaded. It then looks at what constants are available and creates
|
5
|
+
# a consistent view on all rubys.
|
6
|
+
#
|
7
|
+
# Taken from rubygems and modified.
|
8
|
+
# See https://github.com/rubygems/rubygems/blob/master/lib/rubygems/syck_hack.rb
|
9
|
+
|
10
|
+
module YAML
|
11
|
+
# In newer 1.9.2, there is a Syck toplevel constant instead of it
|
12
|
+
# being underneith YAML. If so, reference it back under YAML as
|
13
|
+
# well.
|
14
|
+
if defined? ::Syck
|
15
|
+
# for tests that change YAML::ENGINE
|
16
|
+
# 1.8 does not support the second argument to const_defined?
|
17
|
+
remove_const :Syck rescue nil
|
18
|
+
|
19
|
+
Syck = ::Syck
|
20
|
+
|
21
|
+
# JRuby's "Syck" is called "Yecht"
|
22
|
+
elsif defined? YAML::Yecht
|
23
|
+
Syck = YAML::Yecht
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
# Sometime in the 1.9 dev cycle, the Syck constant was moved from under YAML
|
28
|
+
# to be a toplevel constant. So gemspecs created under these versions of Syck
|
29
|
+
# will have references to Syck::DefaultKey.
|
30
|
+
#
|
31
|
+
# So we need to be sure that we reference Syck at the toplevel too so that
|
32
|
+
# we can always load these kind of gemspecs.
|
33
|
+
#
|
34
|
+
if !defined?(Syck)
|
35
|
+
Syck = YAML::Syck
|
36
|
+
end
|
@@ -1,18 +1,20 @@
|
|
1
1
|
module SafeYAML
|
2
2
|
class Transform
|
3
3
|
class ToBoolean
|
4
|
-
|
4
|
+
include TransformationMap
|
5
|
+
|
6
|
+
set_predefined_values({
|
5
7
|
"yes" => true,
|
6
8
|
"on" => true,
|
7
9
|
"true" => true,
|
8
10
|
"no" => false,
|
9
11
|
"off" => false,
|
10
12
|
"false" => false
|
11
|
-
}
|
13
|
+
})
|
12
14
|
|
13
15
|
def transform?(value)
|
14
|
-
|
15
|
-
return PREDEFINED_VALUES.include?(
|
16
|
+
return false if value.length > 5
|
17
|
+
return PREDEFINED_VALUES.include?(value), PREDEFINED_VALUES[value]
|
16
18
|
end
|
17
19
|
end
|
18
20
|
end
|
@@ -1,15 +1,17 @@
|
|
1
1
|
module SafeYAML
|
2
2
|
class Transform
|
3
3
|
class ToNil
|
4
|
-
|
4
|
+
include TransformationMap
|
5
|
+
|
6
|
+
set_predefined_values({
|
5
7
|
"" => nil,
|
6
8
|
"~" => nil,
|
7
9
|
"null" => nil,
|
8
|
-
}
|
10
|
+
})
|
9
11
|
|
10
12
|
def transform?(value)
|
11
|
-
|
12
|
-
return PREDEFINED_VALUES.include?(
|
13
|
+
return false if value.length > 4
|
14
|
+
return PREDEFINED_VALUES.include?(value), PREDEFINED_VALUES[value]
|
13
15
|
end
|
14
16
|
end
|
15
17
|
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
module SafeYAML
|
2
|
+
class Transform
|
3
|
+
module TransformationMap
|
4
|
+
def self.included(base)
|
5
|
+
base.extend(ClassMethods)
|
6
|
+
end
|
7
|
+
|
8
|
+
class CaseAgnosticMap < Hash
|
9
|
+
def initialize(*args)
|
10
|
+
super
|
11
|
+
end
|
12
|
+
|
13
|
+
def include?(key)
|
14
|
+
super(key.downcase)
|
15
|
+
end
|
16
|
+
|
17
|
+
def [](key)
|
18
|
+
super(key.downcase)
|
19
|
+
end
|
20
|
+
|
21
|
+
# OK, I actually don't think it's all that important that this map be
|
22
|
+
# frozen.
|
23
|
+
def freeze
|
24
|
+
self
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
module ClassMethods
|
29
|
+
def set_predefined_values(predefined_values)
|
30
|
+
if SafeYAML::YAML_ENGINE == "syck"
|
31
|
+
expanded_map = predefined_values.inject({}) do |hash, (key, value)|
|
32
|
+
hash[key] = value
|
33
|
+
hash[key.capitalize] = value
|
34
|
+
hash[key.upcase] = value
|
35
|
+
hash
|
36
|
+
end
|
37
|
+
else
|
38
|
+
expanded_map = CaseAgnosticMap.new
|
39
|
+
expanded_map.merge!(predefined_values)
|
40
|
+
end
|
41
|
+
|
42
|
+
self.const_set(:PREDEFINED_VALUES, expanded_map.freeze)
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
data/lib/safe_yaml/version.rb
CHANGED
data/spec/resolver_specs.rb
CHANGED
@@ -9,6 +9,12 @@ module ResolverSpecs
|
|
9
9
|
@result = resolver.resolve_node(tree)
|
10
10
|
end
|
11
11
|
|
12
|
+
# Isn't this how I should've been doing it all along?
|
13
|
+
def parse_and_test(yaml)
|
14
|
+
parse(yaml)
|
15
|
+
@result.should == YAML.unsafe_load(yaml)
|
16
|
+
end
|
17
|
+
|
12
18
|
context "by default" do
|
13
19
|
it "translates maps to hashes" do
|
14
20
|
parse <<-YAML
|
@@ -78,6 +84,35 @@ module ResolverSpecs
|
|
78
84
|
result.should == [nil] * 3
|
79
85
|
end
|
80
86
|
|
87
|
+
it "matches the behavior of the underlying YAML engine w/ respect to capitalization of boolean values" do
|
88
|
+
parse_and_test <<-YAML
|
89
|
+
- true
|
90
|
+
- True
|
91
|
+
- TRUE
|
92
|
+
- tRue
|
93
|
+
- TRue
|
94
|
+
- False
|
95
|
+
- FALSE
|
96
|
+
- fAlse
|
97
|
+
- FALse
|
98
|
+
YAML
|
99
|
+
|
100
|
+
# using Syck: [true, true, true, "tRue", "TRue", false, false, "fAlse", "FALse"]
|
101
|
+
# using Psych: all booleans
|
102
|
+
end
|
103
|
+
|
104
|
+
it "matches the behavior of the underlying YAML engine w/ respect to capitalization of nil values" do
|
105
|
+
parse_and_test <<-YAML
|
106
|
+
- Null
|
107
|
+
- NULL
|
108
|
+
- nUll
|
109
|
+
- NUll
|
110
|
+
YAML
|
111
|
+
|
112
|
+
# using Syck: [nil, nil, "nUll", "NUll"]
|
113
|
+
# using Psych: all nils
|
114
|
+
end
|
115
|
+
|
81
116
|
it "translates quoted empty strings to strings (not nil)" do
|
82
117
|
parse "foo: ''"
|
83
118
|
result.should == { "foo" => "" }
|
data/spec/safe_yaml_spec.rb
CHANGED
@@ -384,6 +384,12 @@ describe YAML do
|
|
384
384
|
"hash" => {}
|
385
385
|
}
|
386
386
|
end
|
387
|
+
|
388
|
+
it "does not raise an exception on the non-specific '!' tag" do
|
389
|
+
result = nil
|
390
|
+
expect { result = YAML.safe_load "--- ! 'foo'" }.to_not raise_error
|
391
|
+
result.should == "foo"
|
392
|
+
end
|
387
393
|
end
|
388
394
|
end
|
389
395
|
|
metadata
CHANGED
@@ -1,15 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: safe_yaml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.9.
|
5
|
-
prerelease:
|
4
|
+
version: 0.9.1
|
6
5
|
platform: ruby
|
7
6
|
authors:
|
8
7
|
- Dan Tao
|
9
8
|
autorequire:
|
10
9
|
bindir: bin
|
11
10
|
cert_chain: []
|
12
|
-
date: 2013-
|
11
|
+
date: 2013-04-19 00:00:00.000000000 Z
|
13
12
|
dependencies: []
|
14
13
|
description: Parse YAML safely, without that pesky arbitrary object deserialization
|
15
14
|
vulnerability
|
@@ -33,6 +32,7 @@ files:
|
|
33
32
|
- lib/safe_yaml/psych_resolver.rb
|
34
33
|
- lib/safe_yaml/resolver.rb
|
35
34
|
- lib/safe_yaml/safe_to_ruby_visitor.rb
|
35
|
+
- lib/safe_yaml/syck_hack.rb
|
36
36
|
- lib/safe_yaml/syck_node_monkeypatch.rb
|
37
37
|
- lib/safe_yaml/syck_resolver.rb
|
38
38
|
- lib/safe_yaml/transform.rb
|
@@ -42,6 +42,7 @@ files:
|
|
42
42
|
- lib/safe_yaml/transform/to_integer.rb
|
43
43
|
- lib/safe_yaml/transform/to_nil.rb
|
44
44
|
- lib/safe_yaml/transform/to_symbol.rb
|
45
|
+
- lib/safe_yaml/transform/transformation_map.rb
|
45
46
|
- lib/safe_yaml/version.rb
|
46
47
|
- run_specs_all_ruby_versions.sh
|
47
48
|
- safe_yaml.gemspec
|
@@ -61,27 +62,26 @@ files:
|
|
61
62
|
homepage: http://dtao.github.com/safe_yaml/
|
62
63
|
licenses:
|
63
64
|
- MIT
|
65
|
+
metadata: {}
|
64
66
|
post_install_message:
|
65
67
|
rdoc_options: []
|
66
68
|
require_paths:
|
67
69
|
- lib
|
68
70
|
required_ruby_version: !ruby/object:Gem::Requirement
|
69
|
-
none: false
|
70
71
|
requirements:
|
71
|
-
- -
|
72
|
+
- - '>='
|
72
73
|
- !ruby/object:Gem::Version
|
73
74
|
version: 1.8.7
|
74
75
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
75
|
-
none: false
|
76
76
|
requirements:
|
77
|
-
- -
|
77
|
+
- - '>='
|
78
78
|
- !ruby/object:Gem::Version
|
79
79
|
version: '0'
|
80
80
|
requirements: []
|
81
81
|
rubyforge_project:
|
82
|
-
rubygems_version:
|
82
|
+
rubygems_version: 2.0.3
|
83
83
|
signing_key:
|
84
|
-
specification_version:
|
84
|
+
specification_version: 4
|
85
85
|
summary: SameYAML provides an alternative implementation of YAML.load suitable for
|
86
86
|
accepting user input in Ruby applications.
|
87
87
|
test_files:
|