safe_yaml 0.9.6 → 0.9.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGES.md +6 -0
- data/lib/safe_yaml.rb +11 -3
- data/lib/safe_yaml/psych_handler.rb +7 -12
- data/lib/safe_yaml/version.rb +1 -1
- data/spec/issue48.txt +20 -0
- data/spec/safe_yaml_spec.rb +2 -2
- metadata +5 -5
- data/spec/issue48.yml +0 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d56ceb5aefcdb8415178936b17589f26139ec062
|
|
4
|
+
data.tar.gz: cd7b6f5d702b6680eb17116a832f0e651737d599
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4c4686cc5c8a087bbebdc706862223a3d9df7e28b559d32ff6c9ea1bf8db02d273b5b8cc425f903b8ed20e31915381149e3f330b8815ef20bc6de9f428963dff
|
|
7
|
+
data.tar.gz: ded13cfdc5044e90220bc24d058a79c89c7a319cbe3b120a09ca1e73d78d6dc2d2a32b90f358c06dd2d3f9585e3836246a6df855dcd5cdcc6a4cd38bc9df6b29
|
data/CHANGES.md
CHANGED
data/lib/safe_yaml.rb
CHANGED
|
@@ -165,11 +165,12 @@ module YAML
|
|
|
165
165
|
# If the user hasn't whitelisted any tags, we can go with this implementation which is
|
|
166
166
|
# significantly faster.
|
|
167
167
|
if (options && options[:whitelisted_tags] || SafeYAML::OPTIONS[:whitelisted_tags]).empty?
|
|
168
|
-
safe_handler = SafeYAML::PsychHandler.new(options)
|
|
168
|
+
safe_handler = SafeYAML::PsychHandler.new(options) do |result|
|
|
169
|
+
return result
|
|
170
|
+
end
|
|
169
171
|
arguments_for_parse = [yaml]
|
|
170
172
|
arguments_for_parse << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD
|
|
171
173
|
Psych::Parser.new(safe_handler).parse(*arguments_for_parse)
|
|
172
|
-
return safe_handler.result
|
|
173
174
|
|
|
174
175
|
else
|
|
175
176
|
safe_resolver = SafeYAML::PsychResolver.new(options)
|
|
@@ -236,10 +237,17 @@ module YAML
|
|
|
236
237
|
def safe_mode_from_options(method, options={})
|
|
237
238
|
if options[:safe].nil?
|
|
238
239
|
safe_mode = SafeYAML::OPTIONS[:default_mode] || :safe
|
|
240
|
+
|
|
239
241
|
if SafeYAML::OPTIONS[:default_mode].nil? && !SafeYAML::OPTIONS[:suppress_warnings]
|
|
240
|
-
|
|
242
|
+
|
|
243
|
+
Kernel.warn <<-EOWARNING.gsub(/^\s+/, '')
|
|
244
|
+
Called '#{method}' without the :safe option -- defaulting to #{safe_mode} mode.
|
|
245
|
+
You can avoid this warning in the future by setting the SafeYAML::OPTIONS[:default_mode] option (to :safe or :unsafe).
|
|
246
|
+
EOWARNING
|
|
247
|
+
|
|
241
248
|
SafeYAML::OPTIONS[:suppress_warnings] = true
|
|
242
249
|
end
|
|
250
|
+
|
|
243
251
|
return safe_mode
|
|
244
252
|
end
|
|
245
253
|
|
|
@@ -3,8 +3,9 @@ require "base64"
|
|
|
3
3
|
|
|
4
4
|
module SafeYAML
|
|
5
5
|
class PsychHandler < Psych::Handler
|
|
6
|
-
def initialize(options)
|
|
6
|
+
def initialize(options, &block)
|
|
7
7
|
@options = SafeYAML::OPTIONS.merge(options || {})
|
|
8
|
+
@block = block
|
|
8
9
|
@initializers = @options[:custom_initializers] || {}
|
|
9
10
|
@anchors = {}
|
|
10
11
|
@stack = []
|
|
@@ -44,16 +45,6 @@ module SafeYAML
|
|
|
44
45
|
@current_key = nil
|
|
45
46
|
end
|
|
46
47
|
|
|
47
|
-
elsif @current_structure.nil?
|
|
48
|
-
# It appears that a YAML document may containing trailing text that should not be considered
|
|
49
|
-
# part of the serialized data. See issue 48:
|
|
50
|
-
#
|
|
51
|
-
# https://github.com/dtao/safe_yaml/issues/48
|
|
52
|
-
#
|
|
53
|
-
# I need to investigate this a bit further; but for now just explicitly ignoring nil should
|
|
54
|
-
# fix the issue (since in theory the only scenario where this would happen is after the
|
|
55
|
-
# serialized structure has "closed").
|
|
56
|
-
|
|
57
48
|
else
|
|
58
49
|
raise "Don't know how to add to a #{@current_structure.class}!"
|
|
59
50
|
end
|
|
@@ -65,7 +56,7 @@ module SafeYAML
|
|
|
65
56
|
end
|
|
66
57
|
|
|
67
58
|
def streaming?
|
|
68
|
-
|
|
59
|
+
true
|
|
69
60
|
end
|
|
70
61
|
|
|
71
62
|
# event handlers
|
|
@@ -77,6 +68,10 @@ module SafeYAML
|
|
|
77
68
|
add_to_current_structure(value, anchor, quoted, tag)
|
|
78
69
|
end
|
|
79
70
|
|
|
71
|
+
def end_document(implicit)
|
|
72
|
+
@block.call(@result)
|
|
73
|
+
end
|
|
74
|
+
|
|
80
75
|
def start_mapping(anchor, tag, implicit, style)
|
|
81
76
|
map = @initializers.include?(tag) ? @initializers[tag].call : {}
|
|
82
77
|
self.add_to_current_structure(map, anchor)
|
data/lib/safe_yaml/version.rb
CHANGED
data/spec/issue48.txt
ADDED
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Blah
|
|
3
|
+
key: value
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
I'm going to inject a bunch of YAML-looking stuff below and it should all just get ignored.
|
|
7
|
+
|
|
8
|
+
foo: bar
|
|
9
|
+
|
|
10
|
+
- foo
|
|
11
|
+
- bar
|
|
12
|
+
|
|
13
|
+
:foo
|
|
14
|
+
42
|
|
15
|
+
~
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
text: |
|
|
19
|
+
Look, I'm another YAML document!
|
|
20
|
+
---
|
data/spec/safe_yaml_spec.rb
CHANGED
|
@@ -649,14 +649,14 @@ describe YAML do
|
|
|
649
649
|
end
|
|
650
650
|
|
|
651
651
|
it "handles files starting with --- (see issue #48)" do
|
|
652
|
-
YAML.load_file("spec/issue48.
|
|
652
|
+
YAML.load_file("spec/issue48.txt", :safe => true).should == {
|
|
653
653
|
"title" => "Blah",
|
|
654
654
|
"key" => "value"
|
|
655
655
|
}
|
|
656
656
|
end
|
|
657
657
|
|
|
658
658
|
it "handles content starting with --- (see issue #48)" do
|
|
659
|
-
yaml = File.read("spec/issue48.
|
|
659
|
+
yaml = File.read("spec/issue48.txt")
|
|
660
660
|
YAML.load(yaml, :safe => true).should == {
|
|
661
661
|
"title" => "Blah",
|
|
662
662
|
"key" => "value"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_yaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.
|
|
4
|
+
version: 0.9.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Tao
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2013-09-
|
|
11
|
+
date: 2013-09-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Parse YAML safely, without that pesky arbitrary object deserialization
|
|
14
14
|
vulnerability
|
|
@@ -49,7 +49,7 @@ files:
|
|
|
49
49
|
- safe_yaml.gemspec
|
|
50
50
|
- spec/exploit.1.9.2.yaml
|
|
51
51
|
- spec/exploit.1.9.3.yaml
|
|
52
|
-
- spec/issue48.
|
|
52
|
+
- spec/issue48.txt
|
|
53
53
|
- spec/psych_resolver_spec.rb
|
|
54
54
|
- spec/resolver_specs.rb
|
|
55
55
|
- spec/safe_yaml_spec.rb
|
|
@@ -81,7 +81,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
81
81
|
version: '0'
|
|
82
82
|
requirements: []
|
|
83
83
|
rubyforge_project:
|
|
84
|
-
rubygems_version: 2.0.
|
|
84
|
+
rubygems_version: 2.0.6
|
|
85
85
|
signing_key:
|
|
86
86
|
specification_version: 4
|
|
87
87
|
summary: SameYAML provides an alternative implementation of YAML.load suitable for
|
|
@@ -89,7 +89,7 @@ summary: SameYAML provides an alternative implementation of YAML.load suitable f
|
|
|
89
89
|
test_files:
|
|
90
90
|
- spec/exploit.1.9.2.yaml
|
|
91
91
|
- spec/exploit.1.9.3.yaml
|
|
92
|
-
- spec/issue48.
|
|
92
|
+
- spec/issue48.txt
|
|
93
93
|
- spec/psych_resolver_spec.rb
|
|
94
94
|
- spec/resolver_specs.rb
|
|
95
95
|
- spec/safe_yaml_spec.rb
|