safe_yaml 1.0.0 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -7
- data/README.md +1 -0
- data/lib/safe_yaml/transform/to_date.rb +2 -0
- data/lib/safe_yaml/version.rb +1 -1
- data/spec/transform/to_date_spec.rb +19 -0
- metadata +20 -27
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
---
|
|
2
|
-
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
5
|
-
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 5a072651152f97592749563e45a793b71928ed80
|
|
4
|
+
data.tar.gz: 0de35cc4fefc6f0f98d81c5ef1284382e47c8e3c
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 4b3b766d2e7b1d211d8645a57ab3dfefd253cebd29fb7981f792e7194fd66b61d8fc21213088b67420481d1baeb12aad35b024f0d19cf3164c2c756151b45b75
|
|
7
|
+
data.tar.gz: 457535a8deac214dd3e898d2f38ed654c2c854d76572644d2255ef4fa2040fdd4c1d509c9c197983e84e687dd77f6ac0bcd5686032a4067cf72161fdcd998cbf
|
data/README.md
CHANGED
|
@@ -2,6 +2,7 @@ SafeYAML
|
|
|
2
2
|
========
|
|
3
3
|
|
|
4
4
|
[](http://travis-ci.org/dtao/safe_yaml)
|
|
5
|
+
[](http://badge.fury.io/rb/safe_yaml)
|
|
5
6
|
|
|
6
7
|
The **SafeYAML** gem provides an alternative implementation of `YAML.load` suitable for accepting user input in Ruby applications. Unlike Ruby's built-in implementation of `YAML.load`, SafeYAML's version will not expose apps to arbitrary code execution exploits (such as [the ones discovered](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/) [in Rails in early 2013](http://www.h-online.com/open/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html)).
|
|
7
8
|
|
data/lib/safe_yaml/version.rb
CHANGED
|
@@ -38,4 +38,23 @@ describe SafeYAML::Transform::ToDate do
|
|
|
38
38
|
result.should == Time.utc(2012, 11, 30, 23, 33, 45)
|
|
39
39
|
result.gmt_offset.should == Time.now.gmt_offset
|
|
40
40
|
end
|
|
41
|
+
|
|
42
|
+
it "returns strings for invalid dates" do
|
|
43
|
+
subject.transform?("0000-00-00").should == [true, "0000-00-00"]
|
|
44
|
+
subject.transform?("2013-13-01").should == [true, "2013-13-01"]
|
|
45
|
+
subject.transform?("2014-01-32").should == [true, "2014-01-32"]
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
it "returns strings for invalid date/times" do
|
|
49
|
+
subject.transform?("0000-00-00 00:00:00 -0000").should == [true, "0000-00-00 00:00:00 -0000"]
|
|
50
|
+
subject.transform?("2013-13-01 21:59:43 -05:00").should == [true, "2013-13-01 21:59:43 -05:00"]
|
|
51
|
+
subject.transform?("2013-01-32 21:59:43 -05:00").should == [true, "2013-01-32 21:59:43 -05:00"]
|
|
52
|
+
subject.transform?("2013-01-30 25:59:43 -05:00").should == [true, "2013-01-30 25:59:43 -05:00"]
|
|
53
|
+
subject.transform?("2013-01-30 21:69:43 -05:00").should == [true, "2013-01-30 21:69:43 -05:00"]
|
|
54
|
+
|
|
55
|
+
# Interesting. It seems that in some older Ruby versions, the below actually parses successfully
|
|
56
|
+
# w/ DateTime.parse; but it fails w/ YAML.load. Whom to follow???
|
|
57
|
+
|
|
58
|
+
# subject.transform?("2013-01-30 21:59:63 -05:00").should == [true, "2013-01-30 21:59:63 -05:00"]
|
|
59
|
+
end
|
|
41
60
|
end
|
metadata
CHANGED
|
@@ -1,26 +1,21 @@
|
|
|
1
|
-
--- !ruby/object:Gem::Specification
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: safe_yaml
|
|
3
|
-
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 1.0.1
|
|
5
5
|
platform: ruby
|
|
6
|
-
authors:
|
|
6
|
+
authors:
|
|
7
7
|
- Dan Tao
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
|
|
12
|
-
date: 2013-12-27 00:00:00 Z
|
|
11
|
+
date: 2014-01-10 00:00:00.000000000 Z
|
|
13
12
|
dependencies: []
|
|
14
|
-
|
|
15
13
|
description: Parse YAML safely
|
|
16
14
|
email: daniel.tao@gmail.com
|
|
17
15
|
executables: []
|
|
18
|
-
|
|
19
16
|
extensions: []
|
|
20
|
-
|
|
21
17
|
extra_rdoc_files: []
|
|
22
|
-
|
|
23
|
-
files:
|
|
18
|
+
files:
|
|
24
19
|
- .gitignore
|
|
25
20
|
- .travis.yml
|
|
26
21
|
- CHANGES.md
|
|
@@ -70,33 +65,31 @@ files:
|
|
|
70
65
|
- spec/transform/to_symbol_spec.rb
|
|
71
66
|
- spec/yaml_spec.rb
|
|
72
67
|
homepage: https://github.com/dtao/safe_yaml
|
|
73
|
-
licenses:
|
|
68
|
+
licenses:
|
|
74
69
|
- MIT
|
|
75
70
|
metadata: {}
|
|
76
|
-
|
|
77
71
|
post_install_message:
|
|
78
72
|
rdoc_options: []
|
|
79
|
-
|
|
80
|
-
require_paths:
|
|
73
|
+
require_paths:
|
|
81
74
|
- lib
|
|
82
|
-
required_ruby_version: !ruby/object:Gem::Requirement
|
|
83
|
-
requirements:
|
|
84
|
-
- -
|
|
85
|
-
- !ruby/object:Gem::Version
|
|
75
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
76
|
+
requirements:
|
|
77
|
+
- - '>='
|
|
78
|
+
- !ruby/object:Gem::Version
|
|
86
79
|
version: 1.8.7
|
|
87
|
-
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
88
|
-
requirements:
|
|
89
|
-
- -
|
|
90
|
-
- !ruby/object:Gem::Version
|
|
91
|
-
version:
|
|
80
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
81
|
+
requirements:
|
|
82
|
+
- - '>='
|
|
83
|
+
- !ruby/object:Gem::Version
|
|
84
|
+
version: '0'
|
|
92
85
|
requirements: []
|
|
93
|
-
|
|
94
86
|
rubyforge_project:
|
|
95
87
|
rubygems_version: 2.0.14
|
|
96
88
|
signing_key:
|
|
97
89
|
specification_version: 4
|
|
98
|
-
summary: SameYAML provides an alternative implementation of YAML.load suitable for
|
|
99
|
-
|
|
90
|
+
summary: SameYAML provides an alternative implementation of YAML.load suitable for
|
|
91
|
+
accepting user input in Ruby applications.
|
|
92
|
+
test_files:
|
|
100
93
|
- spec/exploit.1.9.2.yaml
|
|
101
94
|
- spec/exploit.1.9.3.yaml
|
|
102
95
|
- spec/issue48.txt
|