RubyGems - safemode - Versions diffs - 1.3.1 → 1.3.2 - Mend

safemode 1.3.1 → 1.3.2

Potentially problematic release.

This version of safemode might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7a2ae334b96360e57f06053963af98bb3565e1d1
-  data.tar.gz: 4ad12d5c492b17595d6dda6aa8caec4ca154f03f
+  metadata.gz: b4ce678e79def9e59fdb857730f9c35707658933
+  data.tar.gz: 4a9a39f6426692470932c93c28430d75feef9279
 SHA512:
-  metadata.gz: '0942dbc88ee4246dc414c598555822b58b5ba18f6b7471edcb3e583ed1e42c442b3b0724a927d4150ea705b9eb95f7f33cd947074f83f2326dfecaabc65d880a'
-  data.tar.gz: 9338694a4120ca2190e4dcf6151d2cf8822b155fc887396ae63e0671734075ba325cad4c5a38a44cc7b98540fa0b37ea28b611aed76be50e6d216c5a4a4f7cec
+  metadata.gz: '09455744a65edc92517cb77bc6b203011cddb2fb1f22bf6b504ab617634e681fe1df897474142871081ecf296e2c2d1289f0a535ed52fde8ff17498176b06ad3'
+  data.tar.gz: 0fdca751f3f5937314ca1903dbf53c8ef1c90644be8868e47a64a33b6e4473dc326a9480aa573196a8470f35b77ce5d5976fe1afa108eb42e1fc1863224326d7

data/.travis.yml ADDED

@@ -0,0 +1,12 @@
+---
+rvm:
+  - 1.8.7
+  - 1.9.3
+  - 2.0.0
+  - 2.1.10
+  - 2.2.6
+  - 2.3.3
+  - 2.4.0
+  - jruby-9
+before_install: gem install bundler
+sudo: false

data/Gemfile CHANGED

@@ -7,12 +7,11 @@ gem "ruby_parser", ">= 3.2.0"
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.
 group :development do
-  gem "shoulda", ">= 0"
   gem "rdoc", "~> 3.12"
   gem "bundler", "~> 1.0"
-  gem "jeweler", ">= 0"
+  gem "jeweler", RUBY_VERSION.start_with?("1.8") ? "~> 1.0" : ">= 0"
   gem "rcov", :platforms => :ruby_18
-  gem "simplecov", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
-  gem "test-unit", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24]
-  gem "rake"
+  gem "simplecov", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24, :jruby]
+  gem "test-unit", :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23, :ruby_24, :jruby]
+  gem "rake", RUBY_VERSION.start_with?("1.8") ? "< 11" : ">= 0"
 end

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 1.3.1
1	+ 1.3.2

data/lib/safemode/blankslate.rb CHANGED

@@ -1,7 +1,13 @@
 module Safemode
   class Blankslate
     @@allow_instance_methods = ['class', 'methods', 'respond_to?', 'respond_to_missing?', 'to_s', 'instance_variable_get']
-    @@allow_class_methods    = ['methods', 'new', 'name', '<', 'ancestors', '=='] # < needed in Rails Object#subclasses_of
+    @@allow_class_methods    = ['methods', 'new', 'name', '<', 'ancestors', '==']  # < needed in Rails Object#subclasses_of
+    if defined?(JRUBY_VERSION)
+      # JRuby seems to silently fail to remove method_missing
+      # (also see https://github.com/jruby/jruby/blob/9.1.7.0/core/src/main/java/org/jruby/RubyModule.java#L1109)
+      @@allow_class_methods << 'method_missing'
+      (@@allow_class_methods << ['singleton_method_undefined', 'singleton_method_added']).flatten! # needed for JRuby support
+    end
     silently { undef_methods(*instance_methods.map(&:to_s) - @@allow_instance_methods) }
     class << self

data/lib/safemode/parser.rb CHANGED

@@ -85,7 +85,7 @@ module Safemode
                    # :colon2 is used for module constants
                    :colon2,
                    # unnecessarily advanced?
-                   :argscat, :argspush, :splat, :block_pass,
+                   :argscat, :argspush, :splat,
                    :op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
                    # needed for haml
                    :block ]
@@ -101,7 +101,11 @@ module Safemode
                    :attrasgn, :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
                    :xstr, :dxstr,
                    # not sure how secure ruby regexp is, so leave it out for now
-                   :dregx, :dregx_once, :match2, :match3, :nth_ref, :back_ref ]
+                   :dregx, :dregx_once, :match2, :match3, :nth_ref, :back_ref,
+                   # block_pass represents &:method, which would bypass the whitelist e.g. by array.each(&:destroy)
+                   # at this point we don't know the receiver so we rather disable it completely,
+                   # use array.each { |item| item.destroy } instead
+                   :block_pass ]
     # SexpProcessor bails when we overwrite these ... but they are listed as
     # "internal nodes that you can't get to" in sexp_processor.rb

data/safemode.gemspec CHANGED

@@ -2,22 +2,23 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: safemode 1.3.1 ruby lib
+# stub: safemode 1.3.2 ruby lib
 Gem::Specification.new do |s|
   s.name = "safemode".freeze
-  s.version = "1.3.1"
+  s.version = "1.3.2"
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Sven Fuchs".freeze, "Peter Cooper".freeze, "Matthias Viehweger".freeze, "Kingsley Hendrickse".freeze, "Ohad Levy".freeze, "Dmitri Dolguikh".freeze]
-  s.date = "2017-02-13"
+  s.date = "2017-07-11"
   s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml.".freeze
   s.email = "ohadlevy@gmail.com".freeze
   s.extra_rdoc_files = [
     "README.markdown"
   ]
   s.files = [
+    ".travis.yml",
     "Gemfile",
     "LICENCSE",
     "README.markdown",
@@ -48,7 +49,7 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "http://github.com/svenfuchs/safemode".freeze
   s.licenses = ["MIT".freeze]
-  s.rubygems_version = "2.6.10".freeze
+  s.rubygems_version = "2.6.8".freeze
   s.summary = "A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby".freeze
   if s.respond_to? :specification_version then
@@ -58,7 +59,6 @@ Gem::Specification.new do |s|
       s.add_runtime_dependency(%q<sexp_processor>.freeze, [">= 4.3.0"])
       s.add_runtime_dependency(%q<ruby2ruby>.freeze, [">= 2.0.6"])
       s.add_runtime_dependency(%q<ruby_parser>.freeze, [">= 3.2.0"])
-      s.add_development_dependency(%q<shoulda>.freeze, [">= 0"])
       s.add_development_dependency(%q<rdoc>.freeze, ["~> 3.12"])
       s.add_development_dependency(%q<bundler>.freeze, ["~> 1.0"])
       s.add_development_dependency(%q<jeweler>.freeze, [">= 0"])
@@ -70,7 +70,6 @@ Gem::Specification.new do |s|
       s.add_dependency(%q<sexp_processor>.freeze, [">= 4.3.0"])
       s.add_dependency(%q<ruby2ruby>.freeze, [">= 2.0.6"])
       s.add_dependency(%q<ruby_parser>.freeze, [">= 3.2.0"])
-      s.add_dependency(%q<shoulda>.freeze, [">= 0"])
       s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
       s.add_dependency(%q<bundler>.freeze, ["~> 1.0"])
       s.add_dependency(%q<jeweler>.freeze, [">= 0"])
@@ -83,7 +82,6 @@ Gem::Specification.new do |s|
     s.add_dependency(%q<sexp_processor>.freeze, [">= 4.3.0"])
     s.add_dependency(%q<ruby2ruby>.freeze, [">= 2.0.6"])
     s.add_dependency(%q<ruby_parser>.freeze, [">= 3.2.0"])
-    s.add_dependency(%q<shoulda>.freeze, [">= 0"])
     s.add_dependency(%q<rdoc>.freeze, ["~> 3.12"])
     s.add_dependency(%q<bundler>.freeze, ["~> 1.0"])
     s.add_dependency(%q<jeweler>.freeze, [">= 0"])

data/test/test_jail.rb CHANGED

@@ -37,8 +37,12 @@ class TestJail < Test::Unit::TestCase
                 "allow_instance_method", "allow_class_method", "allowed_instance_method?",
                 "allowed_class_method?", "allowed_instance_methods", "allowed_class_methods",
                 "<", # < needed in Rails Object#subclasses_of
-                "ancestors", "==" # ancestors and == needed in Rails::Generator::Spec#lookup_class
-               ]
+                "ancestors", "=="] # ancestors and == needed in Rails::Generator::Spec#lookup_class
+    if defined?(JRUBY_VERSION)
+      (expected << ['method_missing', 'singleton_method_undefined', 'singleton_method_added']).flatten!  # needed for running under jruby
+    end
     objects.each do |object|
       assert_equal expected.sort, reject_pretty_methods(object.to_jail.class.methods.map(&:to_s).sort)
     end

data/test/test_safemode_parser.rb CHANGED

@@ -31,6 +31,12 @@ class TestSafemodeParser < Test::Unit::TestCase
     end
   end
+  def test_block_pass_is_disabled
+    assert_raise Safemode::SecurityError do
+      jail('[].each(&:delete)')
+    end
+  end
 private
   def assert_jailed(expected, code)

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safemode
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.3.2
 platform: ruby
 authors:
 - Sven Fuchs
@@ -13,7 +13,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-02-13 00:00:00.000000000 Z
+date: 2017-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sexp_processor
@@ -57,20 +57,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.2.0
-- !ruby/object:Gem::Dependency
-  name: shoulda
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -177,6 +163,7 @@ extensions: []
 extra_rdoc_files:
 - README.markdown
 files:
+- ".travis.yml"
 - Gemfile
 - LICENCSE
 - README.markdown
@@ -224,7 +211,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.10
+rubygems_version: 2.6.8
 signing_key:
 specification_version: 4
 summary: A library for safe evaluation of Ruby code based on ParseTree/RubyParser