safe_yaml 0.9.6 → 0.9.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGES.md +6 -0
- data/lib/safe_yaml.rb +11 -3
- data/lib/safe_yaml/psych_handler.rb +7 -12
- data/lib/safe_yaml/version.rb +1 -1
- data/spec/issue48.txt +20 -0
- data/spec/safe_yaml_spec.rb +2 -2
- metadata +5 -5
- data/spec/issue48.yml +0 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d56ceb5aefcdb8415178936b17589f26139ec062
|
|
4
|
+
data.tar.gz: cd7b6f5d702b6680eb17116a832f0e651737d599
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4c4686cc5c8a087bbebdc706862223a3d9df7e28b559d32ff6c9ea1bf8db02d273b5b8cc425f903b8ed20e31915381149e3f330b8815ef20bc6de9f428963dff
|
|
7
|
+
data.tar.gz: ded13cfdc5044e90220bc24d058a79c89c7a319cbe3b120a09ca1e73d78d6dc2d2a32b90f358c06dd2d3f9585e3836246a6df855dcd5cdcc6a4cd38bc9df6b29
|
data/CHANGES.md
CHANGED
data/lib/safe_yaml.rb
CHANGED
|
@@ -165,11 +165,12 @@ module YAML
|
|
|
165
165
|
# If the user hasn't whitelisted any tags, we can go with this implementation which is
|
|
166
166
|
# significantly faster.
|
|
167
167
|
if (options && options[:whitelisted_tags] || SafeYAML::OPTIONS[:whitelisted_tags]).empty?
|
|
168
|
-
safe_handler = SafeYAML::PsychHandler.new(options)
|
|
168
|
+
safe_handler = SafeYAML::PsychHandler.new(options) do |result|
|
|
169
|
+
return result
|
|
170
|
+
end
|
|
169
171
|
arguments_for_parse = [yaml]
|
|
170
172
|
arguments_for_parse << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
|
|
171
173
|
Psych::Parser.new(safe_handler).parse(*arguments_for_parse)
|
|
172
|
-
return safe_handler.result
|
|
173
174
|
|
|
174
175
|
else
|
|
175
176
|
safe_resolver = SafeYAML::PsychResolver.new(options)
|
|
@@ -236,10 +237,17 @@ module YAML
|
|
|
236
237
|
def safe_mode_from_options(method, options={})
|
|
237
238
|
if options[:safe].nil?
|
|
238
239
|
safe_mode = SafeYAML::OPTIONS[:default_mode] || :safe
|
|
240
|
+
|
|
239
241
|
if SafeYAML::OPTIONS[:default_mode].nil? && !SafeYAML::OPTIONS[:suppress_warnings]
|
|
240
|
-
|
|
242
|
+
|
|
243
|
+
Kernel.warn <<-EOWARNING.gsub(/^\s+/, '')
|
|
244
|
+
Called '#{method}' without the :safe option -- defaulting to #{safe_mode} mode.
|
|
245
|
+
You can avoid this warning in the future by setting the SafeYAML::OPTIONS[:default_mode] option (to :safe or :unsafe).
|
|
246
|
+
EOWARNING
|
|
247
|
+
|
|
241
248
|
SafeYAML::OPTIONS[:suppress_warnings] = true
|
|
242
249
|
end
|
|
250
|
+
|
|
243
251
|
return safe_mode
|
|
244
252
|
end
|
|
245
253
|
|
|
@@ -3,8 +3,9 @@ require "base64"
|
|
|
3
3
|
|
|
4
4
|
module SafeYAML
|
|
5
5
|
class PsychHandler < Psych::Handler
|
|
6
|
-
def initialize(options)
|
|
6
|
+
def initialize(options, &block)
|
|
7
7
|
@options = SafeYAML::OPTIONS.merge(options || {})
|
|
8
|
+
@block = block
|
|
8
9
|
@initializers = @options[:custom_initializers] || {}
|
|
9
10
|
@anchors = {}
|
|
10
11
|
@stack = []
|
|
@@ -44,16 +45,6 @@ module SafeYAML
|
|
|
44
45
|
@current_key = nil
|
|
45
46
|
end
|
|
46
47
|
|
|
47
|
-
elsif @current_structure.nil?
|
|
48
|
-
# It appears that a YAML document may containing trailing text that should not be considered
|
|
49
|
-
# part of the serialized data. See issue 48:
|
|
50
|
-
#
|
|
51
|
-
# https://github.com/dtao/safe_yaml/issues/48
|
|
52
|
-
#
|
|
53
|
-
# I need to investigate this a bit further; but for now just explicitly ignoring nil should
|
|
54
|
-
# fix the issue (since in theory the only scenario where this would happen is after the
|
|
55
|
-
# serialized structure has "closed").
|
|
56
|
-
|
|
57
48
|
else
|
|
58
49
|
raise "Don't know how to add to a #{@current_structure.class}!"
|
|
59
50
|
end
|
|
@@ -65,7 +56,7 @@ module SafeYAML
|
|
|
65
56
|
end
|
|
66
57
|
|
|
67
58
|
def streaming?
|
|
68
|
-
|
|
59
|
+
true
|
|
69
60
|
end
|
|
70
61
|
|
|
71
62
|
# event handlers
|
|
@@ -77,6 +68,10 @@ module SafeYAML
|
|
|
77
68
|
add_to_current_structure(value, anchor, quoted, tag)
|
|
78
69
|
end
|
|
79
70
|
|
|
71
|
+
def end_document(implicit)
|
|
72
|
+
@block.call(@result)
|
|
73
|
+
end
|
|
74
|
+
|
|
80
75
|
def start_mapping(anchor, tag, implicit, style)
|
|
81
76
|
map = @initializers.include?(tag) ? @initializers[tag].call : {}
|
|
82
77
|
self.add_to_current_structure(map, anchor)
|
data/lib/safe_yaml/version.rb
CHANGED
data/spec/issue48.txt
ADDED
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Blah
|
|
3
|
+
key: value
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
I'm going to inject a bunch of YAML-looking stuff below and it should all just get ignored.
|
|
7
|
+
|
|
8
|
+
foo: bar
|
|
9
|
+
|
|
10
|
+
- foo
|
|
11
|
+
- bar
|
|
12
|
+
|
|
13
|
+
:foo
|
|
14
|
+
42
|
|
15
|
+
~
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
text: |
|
|
19
|
+
Look, I'm another YAML document!
|
|
20
|
+
---
|
data/spec/safe_yaml_spec.rb
CHANGED
|
@@ -649,14 +649,14 @@ describe YAML do
|
|
|
649
649
|
end
|
|
650
650
|
|
|
651
651
|
it "handles files starting with --- (see issue #48)" do
|
|
652
|
-
YAML.load_file("spec/issue48.
|
|
652
|
+
YAML.load_file("spec/issue48.txt", :safe => true).should == {
|
|
653
653
|
"title" => "Blah",
|
|
654
654
|
"key" => "value"
|
|
655
655
|
}
|
|
656
656
|
end
|
|
657
657
|
|
|
658
658
|
it "handles content starting with --- (see issue #48)" do
|
|
659
|
-
yaml = File.read("spec/issue48.
|
|
659
|
+
yaml = File.read("spec/issue48.txt")
|
|
660
660
|
YAML.load(yaml, :safe => true).should == {
|
|
661
661
|
"title" => "Blah",
|
|
662
662
|
"key" => "value"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_yaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.
|
|
4
|
+
version: 0.9.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Tao
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2013-09-
|
|
11
|
+
date: 2013-09-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Parse YAML safely, without that pesky arbitrary object deserialization
|
|
14
14
|
vulnerability
|
|
@@ -49,7 +49,7 @@ files:
|
|
|
49
49
|
- safe_yaml.gemspec
|
|
50
50
|
- spec/exploit.1.9.2.yaml
|
|
51
51
|
- spec/exploit.1.9.3.yaml
|
|
52
|
-
- spec/issue48.
|
|
52
|
+
- spec/issue48.txt
|
|
53
53
|
- spec/psych_resolver_spec.rb
|
|
54
54
|
- spec/resolver_specs.rb
|
|
55
55
|
- spec/safe_yaml_spec.rb
|
|
@@ -81,7 +81,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
81
81
|
version: '0'
|
|
82
82
|
requirements: []
|
|
83
83
|
rubyforge_project:
|
|
84
|
-
rubygems_version: 2.0.
|
|
84
|
+
rubygems_version: 2.0.6
|
|
85
85
|
signing_key:
|
|
86
86
|
specification_version: 4
|
|
87
87
|
summary: SameYAML provides an alternative implementation of YAML.load suitable for
|
|
@@ -89,7 +89,7 @@ summary: SameYAML provides an alternative implementation of YAML.load suitable f
|
|
|
89
89
|
test_files:
|
|
90
90
|
- spec/exploit.1.9.2.yaml
|
|
91
91
|
- spec/exploit.1.9.3.yaml
|
|
92
|
-
- spec/issue48.
|
|
92
|
+
- spec/issue48.txt
|
|
93
93
|
- spec/psych_resolver_spec.rb
|
|
94
94
|
- spec/resolver_specs.rb
|
|
95
95
|
- spec/safe_yaml_spec.rb
|