safe_yaml 1.0.0rc2 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
----
-SHA1:
-  metadata.gz: ae63281c614c4ed5cf5cef2b203db0966c3b78e5
-  data.tar.gz: d30fc3da59a6f6d2501307b6fb1fe41e6be90670
-SHA512:
-  metadata.gz: bac4ad63fb7c3fdfe4bffb8aa55bdf8863e06b886f80b82bc8b1c57cfb4dfcd4e5f3ace889dd45eae84dff550111979f2c8f5243ffc7f71db2b6d85551a1c6ec
-  data.tar.gz: 835ee14f1ef5819b856cfefaf970ee552d7943602057233fad955f76256d16ef6ffe1bc4bd83dd3206ef7938af9b61de02de58d9091e8412f5c3ce88edc7a9c1
+--- 
+SHA1: 
+  metadata.gz: bf7e5c41614da36f8ccd36e18b855f8e29c4060e
+  data.tar.gz: a0c48508dea39d200aea9f5fb689a6957c9ba235
+SHA512: 
+  metadata.gz: b67c8e20aea0cc1898e5af8ff8b5e8e98e4ae522b6d18a692b2649faea810b674967af561c027f160316977964fc235c99bd5fc2ee41930f610ad4d96c7bc7f5
+  data.tar.gz: 6c524eb43f7878a8e01c0db24680d939531313328d62a424d49cf75776bcef66854e5c5589dd9fef5dd47633c013635c24ece5e04ab5c2d8a19f2c3ea926e6ba

data/README.md

@@ -12,28 +12,29 @@ Installation
 
 Add this line to your application's Gemfile:
 
-    gem "safe_yaml"
-
-And then execute:
-
-    $ bundle
-
-Or install it yourself as:
-
-    $ gem install safe_yaml
+```ruby
+gem "safe_yaml"
+```
 
 Configuration
 -------------
 
-Configuring SafeYAML should be quick. In most cases, you will probably only have to think about two things:
+If *all you do* is add SafeYAML to your project, then `YAML.load` will operate in "safe" mode, which means it won't deserialize arbitrary objects. However, it will issue a warning the first time you call it because you haven't explicitly specified whether you want safe or unsafe behavior by default. To specify this behavior (e.g., in a Rails initializer):
 
-1. What do you want the `YAML` module's *default* behavior to be? Set the `SafeYAML::OPTIONS[:default_mode]` option to either `:safe` or `:unsafe` to control this. If you do neither, SafeYAML will default to `:safe` mode but will issue a warning the first time you call `YAML.load`.
-2. Do you want to allow symbols by default? Set the `SafeYAML::OPTIONS[:deserialize_symbols]` option to `true` or `false` to control this. The default is `false`, which means that SafeYAML will deserialize symbols in YAML documents as strings.
+```ruby
+SafeYAML::OPTIONS[:default_mode] = :safe # or :unsafe
+```
+
+Another important option you might want to specify on startup is whether or not to allow *symbols* to be deserialized. The default setting is `false`, since symbols are not garbage collected in Ruby and so deserializing them from YAML may render your application vulnerable to a DOS (denial of service) attack. To allow symbol deserialization by default:
+
+```ruby
+SafeYAML::OPTIONS[:deserialize_symbols] = true
+```
 
 For more information on these and other options, see the "Usage" section down below.
 
-Explanation
------------
+What is this gem for, exactly?
+------------------------------
 
 Suppose your application were to use a popular open source library which contained code like this:
 
@@ -87,13 +88,13 @@ When you require the safe_yaml gem in your project, `YAML.load` is patched to ac
 
 The most important option is the `:safe` option (default: `true`), which controls whether or not to deserialize arbitrary objects when parsing a YAML document. The other options, along with explanations, are as follows.
 
-- `:deserialize_symbols` (default: `false`): Controls whether or not YAML will deserialize symbols. It is probably best to only enable this option where necessary, e.g. to make trusted libraries work. Symbols receive special treatment in Ruby and are not garbage collected, which means deserializing them indiscriminately may render your site vulnerable to a DOS attack (hence `false` as a default value).
+- `:deserialize_symbols` (default: `false`): Controls whether or not YAML will deserialize symbols. It is probably best to only enable this option where necessary, e.g. to make trusted libraries work. Symbols receive special treatment in Ruby and are not garbage collected, which means deserializing them indiscriminately may render your site vulnerable to a DOS attack.
 
 - `:whitelisted_tags`: Accepts an array of YAML tags that designate trusted types, e.g., ones that can be deserialized without worrying about any resulting security vulnerabilities. When any of the given tags are encountered in a YAML document, the associated data will be parsed by the underlying YAML engine (Syck or Psych) for the version of Ruby you are using. See the "Whitelisting Trusted Types" section below for more information.
 
 - `:custom_initializers`: Similar to the `:whitelisted_tags` option, but allows you to provide your own initializers for specified tags rather than using Syck or Psyck. Accepts a hash with string tags for keys and lambdas for values.
 
-- `:raise_on_unknown_tag` (default: `false`): Represents the highest possible level of paranoia (not necessarily a bad thing); if the YAML engine encounters any tag other than ones that are automatically trusted by SafeYAML or that you've explicitly whitelisted, it will raise an exception. This may be a good choice if you expect to always be dealing with perfectly safe YAML and want your application to fail loudly upon encountering questionable data.
+- `:raise_on_unknown_tag` (default: `false`): Represents the highest possible level of paranoia. If the YAML engine encounters any tag other than ones that are automatically trusted by SafeYAML or that you've explicitly whitelisted, it will raise an exception. This may be a good choice if you expect to always be dealing with perfectly safe YAML and want your application to fail loudly upon encountering questionable data.
 
 All of the above options can be set at the global level via `SafeYAML::OPTIONS`. You can also set each one individually per call to `YAML.load`; an option explicitly passed to `load` will take precedence over an option specified globally.
 
@@ -102,7 +103,9 @@ What if I don't *want* to patch `YAML`?
 
 [Excellent question](https://github.com/dtao/safe_yaml/issues/47)! You can also get the methods `SafeYAML.load` and `SafeYAML.load_file` without touching the `YAML` module at all like this:
 
-    require "safe_yaml/load"
+```ruby
+require "safe_yaml/load" # instead of require "safe_yaml"
+```
 
 This way, you can use `SafeYAML.load` to parse YAML that *you* don't trust, without affecting the rest of an application (if you're developing a library, for example).
 
@@ -130,7 +133,7 @@ SafeYAML supports whitelisting certain YAML tags for trusted types. This is hand
 The easiest way to whitelist types is by calling `SafeYAML.whitelist!`, which can accept a variable number of safe types, e.g.:
 
 ```ruby
-SafeYAML.whitelist!(FrobDispenser, GobbleFactory)
+SafeYAML.whitelist!(Foo, Bar)
 ```
 
 You can also whitelist YAML *tags* via the `:whitelisted_tags` option:
@@ -160,7 +163,7 @@ EOYAML
 Known Issues
 ------------
 
-If you add SafeYAML to your project and start seeing any errors about missing keys, or you notice mysterious strings that look like `":foo"` (i.e., start with a colon), it's likely you're seeing errors from symbols being saved in YAML format. If you are able to modify the offending code, you might want to consider changing your YAML content to use plain vanilla strings instead of symbols. If not, you may need to set the `:deserialize_symbols` option to `true`, either in calls to `YAML.load` or--as a last resort--globally, with `SafeYAML::OPTIONS[:deserialize_symbols]`.
+If you add SafeYAML to your project and start seeing any errors about missing keys, or you notice mysterious strings that look like `":foo"` (i.e., start with a colon), it's likely you're seeing errors from symbols being saved in YAML format. If you are able to modify the offending code, you might want to consider changing your YAML content to use plain vanilla strings instead of symbols. If not, you may need to set the `:deserialize_symbols` option to `true`, either in calls to `YAML.load` or---as a last resort---globally, with `SafeYAML::OPTIONS[:deserialize_symbols]`.
 
 Also be aware that some Ruby libraries, particularly those requiring inter-process communication, leverage YAML's object deserialization functionality and therefore may break or otherwise be impacted by SafeYAML. The following list includes known instances of SafeYAML's interaction with other Ruby gems:
 
@@ -173,12 +176,10 @@ Also be aware that some Ruby libraries, particularly those requiring inter-proce
 
 The above list will grow over time, as more issues are discovered.
 
-Caveat
-------
-
-My intention is to eventually adopt [semantic versioning](http://semver.org/) with this gem, if it ever gets to version 1.0 (i.e., doesn't become obsolete by then). Since it isn't there yet, that means that API may well change from one version to the next. Please keep that in mind if you are using it in your application.
+Versioning
+----------
 
-To be clear: my *goal* is for SafeYAML to make it as easy as possible to protect existing applications from object deserialization exploits. Any and all feedback is more than welcome!
+SafeYAML will follow [semantic versioning](http://semver.org/) so any updates to the first major version will maintain backwards compatability. So expect primarily bug fixes and feature enhancements (if anything!) from here on out... unless it makes sense to break the interface at some point and introduce a version 2.0, which I honestly think is unlikely.
 
 Requirements
 ------------

data/lib/safe_yaml/transform/to_integer.rb

@@ -9,8 +9,9 @@ module SafeYAML
       ])
 
       def transform?(value)
-        MATCHERS.each do |matcher|
-          return true, Integer(value.gsub(",", "")) if matcher.match(value)
+        MATCHERS.each_with_index do |matcher, idx|
+          value = value.gsub(/[_,]/, "") if idx == 0
+          return true, Integer(value) if matcher.match(value)
         end
         try_edge_cases?(value)
       end

data/lib/safe_yaml/version.rb

@@ -1,3 +1,3 @@
 module SafeYAML
-  VERSION = "1.0.0rc2"
+  VERSION = "1.0.0"
 end

data/safe_yaml.gemspec

@@ -6,9 +6,9 @@ Gem::Specification.new do |gem|
   gem.version       = SafeYAML::VERSION
   gem.authors       = "Dan Tao"
   gem.email         = "daniel.tao@gmail.com"
-  gem.description   = %q{Parse YAML safely, without that pesky arbitrary object deserialization vulnerability}
+  gem.description   = %q{Parse YAML safely}
   gem.summary       = %q{SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.}
-  gem.homepage      = "http://dtao.github.com/safe_yaml/"
+  gem.homepage      = "https://github.com/dtao/safe_yaml"
   gem.license       = "MIT"
   gem.files         = `git ls-files`.split($\)
   gem.test_files    = gem.files.grep(%r{^spec/})

data/spec/transform/to_integer_spec.rb

@@ -56,4 +56,9 @@ describe SafeYAML::Transform::ToInteger do
     # sexagesimal
     subject.transform?("190:20:30").should == [true, 685230]
   end
+
+  # see https://github.com/dtao/safe_yaml/pull/51
+  it "strips out underscores before parsing decimal values" do
+    subject.transform?("_850_").should == [true, 850]
+  end
 end

metadata

@@ -1,22 +1,26 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: safe_yaml
-version: !ruby/object:Gem::Version
-  version: 1.0.0rc2
+version: !ruby/object:Gem::Version 
+  version: 1.0.0
 platform: ruby
-authors:
+authors: 
 - Dan Tao
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-12 00:00:00.000000000 Z
+
+date: 2013-12-27 00:00:00 Z
 dependencies: []
-description: Parse YAML safely, without that pesky arbitrary object deserialization
-  vulnerability
+
+description: Parse YAML safely
 email: daniel.tao@gmail.com
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - .gitignore
 - .travis.yml
 - CHANGES.md
@@ -65,32 +69,34 @@ files:
 - spec/transform/to_integer_spec.rb
 - spec/transform/to_symbol_spec.rb
 - spec/yaml_spec.rb
-homepage: http://dtao.github.com/safe_yaml/
-licenses:
+homepage: https://github.com/dtao/safe_yaml
+licenses: 
 - MIT
 metadata: {}
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  requirements:
-  - - '>='
-    - !ruby/object:Gem::Version
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
       version: 1.8.7
-required_rubygems_version: !ruby/object:Gem::Requirement
-  requirements:
-  - - '>'
-    - !ruby/object:Gem::Version
-      version: 1.3.1
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 2.1.11
+rubygems_version: 2.0.14
 signing_key: 
 specification_version: 4
-summary: SameYAML provides an alternative implementation of YAML.load suitable for
-  accepting user input in Ruby applications.
-test_files:
+summary: SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.
+test_files: 
 - spec/exploit.1.9.2.yaml
 - spec/exploit.1.9.3.yaml
 - spec/issue48.txt