safemode 1.5.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 795ca593ca92570d9d4a54cbad72c18c32574d1190b37d002acb22f0347814e0
-  data.tar.gz: 585a9de965e98cc5f7d847357db1db8ce2a52e1200cf17169dc109c4cda231b5
+  metadata.gz: 31ed45049398953b35fafe5ff837df2332712caa9534c5278e971d9031a61836
+  data.tar.gz: 49b507273a0ef6d03578be21a26f26388fb4cd54d253670a8932ae7891ae40f7
 SHA512:
-  metadata.gz: d27b2e9fa7e9893cc43039c37c884e21c1e7945974d3614a907818453e99b88d0cd37ab68d43058e01303f3d6bc6966f51edeee009a712994ad40b754660a4d7
-  data.tar.gz: 1b6ddc2ab11f82cc6275d9ea26aa57800ebcfc2a2e7a84612894bb61b17a879e1b83eac20dff722091fab596eeb04912110d4bb70dbcce924771b189c218894f
+  metadata.gz: eefb3d5121ad93910e1468cd635a5d77320dfbd23c341469af7acc1d90c80947ab1f8ec058bf1775b9269566d2503cfec0118bb6143e9d35ee6ba5afbb055caa
+  data.tar.gz: ab5f0385d055999f6a6463381d24494bab377fe12aebec639b3be5fc78faf4355c5485105ba6c73bbc0a0023c2db3dd063bc35abee19d4564748d15a925650d8

data/demo.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'safemode'
 require 'erb'
 

data/lib/safemode/core_jails.rb

@@ -17,15 +17,11 @@ module Safemode
     end
 
     def core_classes
-      klasses = [ Array, Float, Hash, Range, String, Symbol, Time, NilClass, FalseClass, TrueClass ]
+      klasses = [ Array, Float, Hash, Integer, Range, String, Symbol, Time, NilClass, FalseClass, TrueClass ]
       klasses << Date if defined? Date
       klasses << DateTime if defined? DateTime
-      if RUBY_VERSION >= '2.4.0'
-        klasses << Integer
-      else
-        klasses << Bignum
-        klasses << Fixnum
-      end
+      klasses << Data if defined? Data # Ruby 3.2 addition
+      klasses << Set if defined? Set # Ruby 3.2 addition
       klasses
     end
 
@@ -46,31 +42,21 @@ module Safemode
   # whitelisted methods for core classes ... kind of arbitrary selection
   @@methods_whitelist = {
     'Array'      => %w(any? assoc at blank? collect collect! compact compact!
-                    concat delete delete_at delete_if each each_index empty?
-                    fetch fill first flatten flatten! hash include? index
+                    concat delete delete_at delete_if each each_index each_with_index
+                    empty? fetch fill first flatten flatten! hash include? index
                     indexes indices inject insert join last length map map! max min
                     nitems pop push present? rassoc reject reject! reverse
                     reverse! reverse_each rindex select shift size slice
                     slice! sort sort! transpose to_sentence uniq uniq! unshift
                     values_at zip),
 
-    'Bignum'     => %w(abs blank? ceil chr coerce div divmod downto floor hash
-                    integer? modulo next nonzero? present? quo remainder round
-                    singleton_method_added size step succ times to_f to_i
-                    to_int to_s truncate upto zero?),
-
-    'Fixnum'     => %w(abs blank? ceil chr coerce div divmod downto floor id2name
-                    integer? modulo modulo next nonzero? present? quo remainder
-                    round singleton_method_added size step succ times to_f to_i
-                    to_int to_s to_sym truncate upto zero?),
-
     'Float'      => %w(abs blank? ceil coerce div divmod finite? floor hash
                     infinite? integer? modulo nan? nonzero? present? quo
                     remainder round singleton_method_added step to_f to_i
                     to_int to_s truncate zero?),
 
-    'Hash'       => %w(any? blank? clear delete delete_if each each_key
-                    each_pair each_value empty? fetch dig has_key? has_value?
+    'Hash'       => %w(any? blank? clear delete delete_if each each_key each_pair
+                    each_value each_with_index empty? fetch dig has_key? has_value?
                     include? index invert key? keys length member? merge merge!
                     present? rec_merge! rehash reject reject! select shift
                     size sort store update value? values values_at),
@@ -116,6 +102,17 @@ module Safemode
     'DateTime'   => %w(blank? hour min new_offset newof of offset present? sec
                     sec_fraction strftime to_datetime_default_s to_json zone),
 
+    'Data'       => %w(deconstruct deconstruct_keys hash members),
+
+    'Set'        => %w(any? blank? clear clone collect count delete delete?
+                    delete_if difference disjoint? each each_with_index
+                    each_with_object empty? filter find first flatten
+                    flatten! hash include? inject intersect? intersection
+                    join keep_if length map max member? merge min
+                    present? reject reject! replace select select!
+                    size sort sort_by subset? superset? union
+                    uniq zip),
+
     'NilClass'   => %w(blank? duplicable? present? to_f to_i),
 
     'FalseClass' => %w(blank? duplicable? present?),

data/lib/safemode/parser.rb

@@ -1,8 +1,5 @@
 module Safemode
   class Parser < Ruby2Ruby
-    # @@parser = defined?(RubyParser) ? 'RubyParser' : 'ParseTree'
-    @@parser = 'RubyParser'
-
     class << self
       def jail(code, allowed_fcalls = [])
         @@allowed_fcalls = allowed_fcalls
@@ -11,18 +8,7 @@ module Safemode
       end
 
       def parse(code)
-        case @@parser
-        # when 'ParseTree'
-        #   ParseTree.translate(code)
-        when 'RubyParser'
-          RubyParser.new.parse(code)
-        else
-          raise "unknown parser #{@@parser}"
-        end
-      end
-
-      def parser=(parser)
-        @@parser = parser
+        Prism::Translation::RubyParser.parse(code)
       end
     end
 
@@ -89,8 +75,13 @@ module Safemode
                    # :colon2 is used for module constants
                    :colon2,
                    # unnecessarily advanced?
-                   :argscat, :argspush, :splat,
-                   :op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
+                   :argscat, :argspush, :splat, :kwsplat,
+                   # NOTE: op_asgn*/safe_op_asgn* do not insert .to_jail on the
+                   # receiver. Setters are called directly on the real object, bypassing Jail.
+                   :op_asgn, :op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
+                   :safe_op_asgn, :safe_op_asgn2,
+                   # pattern matching (Ruby 3.0+)
+                   :in, :array_pat, :hash_pat, :find_pat, :kwrest,
                    # needed for haml
                    :block ]
 
@@ -98,18 +89,21 @@ module Safemode
                    # see below for :const handling
                    :defn, :defs, :alias, :valias, :undef, :class, :attrset,
                    :module, :sclass, :colon3,
-                   :fbody, :scope, :block_arg, :postexe,
+                   :fbody, :scope, :block_arg, :postexe, :preexe,
                    :redo, :retry, :begin, :rescue, :resbody, :ensure,
                    :defined, :super, :zsuper, :return,
                    :dmethod, :bmethod, :to_ary, :svalue, :match,
-                   :attrasgn, :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
+                   :attrasgn, :safe_attrasgn,
+                   :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
                    :xstr, :dxstr,
                    # not sure how secure ruby regexp is, so leave it out for now
                    :dregx, :dregx_once, :match2, :match3, :nth_ref, :back_ref,
                    # block_pass represents &:method, which would bypass the whitelist e.g. by array.each(&:destroy)
                    # at this point we don't know the receiver so we rather disable it completely,
                    # use array.each { |item| item.destroy } instead
-                   :block_pass ]
+                   :block_pass,
+                   # lambda creates Proc objects
+                   :lambda ]
 
     # SexpProcessor bails when we overwrite these ... but they are listed as
     # "internal nodes that you can't get to" in sexp_processor.rb
@@ -207,6 +201,49 @@ module Safemode
       end
     end
 
+    # Ruby2Ruby bug: __var adds ^ (pin) to all lvars inside :in context,
+    # including the body after "then" where ^ is invalid syntax.
+    # Fix: process body outside the :in context.
+    def process_in(exp)
+      _, pattern, *body = exp
+
+      guard = extract_guard(pattern)
+      cond = process pattern
+      body = body.compact.map { |sexp|
+        in_context :in_body do
+          indent process sexp
+        end
+      }
+
+      body << indent("# do nothing") if body.empty?
+      body = body.join "\n"
+
+      header = "in #{cond}"
+      header << " #{guard}" if guard
+      "#{header} then\n#{body.chomp}"
+    end
+
+    # Prism translates guard clauses (in pattern if cond / in pattern unless cond)
+    # as s(:if, guard, pattern, nil) / s(:if, guard, nil, pattern). We detect this
+    # and rewrite the sexp in-place so process_if renders only the pattern, then
+    # return the guard string for process_in to append.
+    def extract_guard(pattern)
+      return unless pattern.sexp_type == :if
+
+      _, guard_sexp, if_body, else_body = pattern
+      if if_body && !else_body
+        guard_str = in_context(:in_body) { "if #{process guard_sexp.deep_clone}" }
+        pattern.clear
+        if_body.each { |node| pattern << node }
+      elsif else_body && !if_body
+        guard_str = in_context(:in_body) { "unless #{process guard_sexp.deep_clone}" }
+        pattern.clear
+        else_body.each { |node| pattern << node }
+      end
+
+      guard_str
+    end
+
     # Ruby2Ruby process_if rewrites if and unless statements in a way that
     # makes the result unusable for evaluation in, e.g. ERB which appends a
     # call to to_s when using <%= %> tags. We'd need to either enclose the

data/lib/safemode.rb

@@ -1,17 +1,8 @@
 require 'rubygems'
 
 require 'ruby2ruby'
-begin
-  require 'ruby_parser' # try to load RubyParser and use it if present
-rescue LoadError => e
-end
-# this doesn't work somehow. Maybe something changed inside
-# ParseTree or sexp_processor or so.
-# (the require itself works, but ParseTree doesn't play nice)
-# begin
-#   require 'parse_tree'
-# rescue LoadError => e
-# end
+require 'prism'
+require 'prism/translation/ruby_parser'
 
 require 'safemode/core_ext'
 require 'safemode/blankslate'

data/safemode.gemspec

@@ -4,10 +4,10 @@ require 'date'
 
 Gem::Specification.new do |s|
   s.name = "safemode".freeze
-  s.version = "1.5.0"
+  s.version = "2.0.0"
   s.date = Date.today
 
-  s.summary = "A library for safe evaluation of Ruby code based on ParseTree/RubyParser and Ruby2Ruby"
+  s.summary = "A library for safe evaluation of Ruby code based on Prism and Ruby2Ruby"
   s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml."
   s.homepage = "https://github.com/svenfuchs/safemode"
   s.licenses = ["MIT"]
@@ -52,14 +52,14 @@ Gem::Specification.new do |s|
     "test/test_safemode_parser.rb"
   ]
 
-  s.required_ruby_version = ">= 2.7", "< 3.2"
+  s.required_ruby_version = ">= 3.0", "< 3.4"
 
-  s.add_runtime_dependency "ruby2ruby", ">= 2.4.0"
-  s.add_runtime_dependency "ruby_parser", ">= 3.10.1"
-  s.add_runtime_dependency "sexp_processor", ">= 4.10.0"
+  s.add_runtime_dependency "ruby2ruby", "~> 2.4"
+  s.add_runtime_dependency "prism", "~> 1.0"
+  s.add_runtime_dependency "sexp_processor", "~> 4.10"
 
-  s.add_development_dependency "rake"
-  s.add_development_dependency "rdoc"
-  s.add_development_dependency "simplecov"
-  s.add_development_dependency "test-unit"
+  s.add_development_dependency "rake", "~> 13.4"
+  s.add_development_dependency "rdoc", "~> 7.2"
+  s.add_development_dependency "simplecov", "~> 0.22"
+  s.add_development_dependency "test-unit", "~> 3.7"
 end

data/test/test_erb_eval.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require File.join(File.dirname(__FILE__), 'test_helper')
 
 class TestERBEval < Test::Unit::TestCase
@@ -58,19 +60,17 @@ class TestERBEval < Test::Unit::TestCase
   end
 
   TestHelper.no_method_error_raising_calls.each do |call|
-    call.gsub!('"', '\\\\"')
     class_eval %Q(
       def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_no_method
-        assert_raise_no_method "#{call}", @assigns, @locals
+        assert_raise_no_method "#{call.gsub('"', '\\\\"')}", @assigns, @locals
       end
     )
   end
 
   TestHelper.security_error_raising_calls.each do |call|
-    call.gsub!('"', '\\\\"')
     class_eval %Q(
       def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
-        assert_raise_security "#{call}", @assigns, @locals
+        assert_raise_security "#{call.gsub('"', '\\\\"')}", @assigns, @locals
       end
     )
   end

data/test/test_helper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 if ENV['COVERAGE']
   require 'simplecov'
   SimpleCov.start {add_filter 'test_'}
@@ -110,6 +112,8 @@ class Article
     Comment
   end
 
+  attr_accessor :status
+
   def method_with_kwargs(a_keyword: false)
     a_keyword
   end
@@ -148,7 +152,7 @@ class Comment
 end
 
 class Article::Jail < Safemode::Jail
-  allow :title, :comments, :is_article?, :comment_class, :method_with_kwargs
+  allow :title, :comments, :is_article?, :comment_class, :method_with_kwargs, :status
 
   def author_name
     "this article's author name"

data/test/test_jail.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require File.join(File.dirname(__FILE__), 'test_helper')
 
 class TestJail < Test::Unit::TestCase

data/test/test_safemode_eval.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require File.join(File.dirname(__FILE__), 'test_helper')
 
 class TestSafemodeEval < Test::Unit::TestCase
@@ -92,26 +94,151 @@ class TestSafemodeEval < Test::Unit::TestCase
     assert @box.eval("@article.method_with_kwargs(a_keyword: true)", @assigns)
   end
 
+  def test_pattern_matching_with_literal
+    assert_equal "matched", @box.eval('case 1; in 1; "matched"; in 2; "nope"; end')
+  end
+
+  def test_pattern_matching_with_array_destructuring
+    assert_equal 1, @box.eval('case [1, 2, 3]; in [a, b, c]; a; end')
+  end
+
+  def test_pattern_matching_with_hash_destructuring
+    assert_equal 1, @box.eval('case({a: 1, b: 2}); in {a:}; a; end')
+  end
+
+  def test_pattern_matching_with_assign
+    assert_equal "two", @box.eval('case @val; in 1; "one"; in 2; "two"; end', { val: 2 })
+  end
+
+  def test_pattern_matching_with_find_pattern
+    assert_equal "found", @box.eval('case [1, 2, 3]; in [*, 2, *]; "found"; end')
+  end
+
+  def test_pattern_matching_with_pin_operator
+    assert_equal "matched", @box.eval('y = 1; case 1; in ^y; "matched"; end')
+  end
+
+  def test_pattern_matching_with_multiple_clauses
+    assert_equal "second", @box.eval('case [3, 4]; in [1, 2]; "first"; in [3, 4]; "second"; end')
+  end
+
+  def test_pattern_matching_no_match_returns_nil
+    assert_nil @box.eval('case 3; in 1; "one"; in 2; "two"; else; nil; end')
+  end
+
+  def test_pattern_matching_with_if_guard
+    assert_equal "positive", @box.eval('case 1; in x if x > 0; "positive"; end')
+  end
+
+  def test_pattern_matching_with_unless_guard
+    assert_equal "not negative", @box.eval('case 1; in x unless x < 0; "not negative"; end')
+  end
+
+  def test_pattern_matching_guard_no_match
+    assert_nil @box.eval('case 1; in x if x < 0; "negative"; else; nil; end')
+  end
+
+  def test_pattern_matching_guard_with_array_pattern
+    assert_equal "yes", @box.eval('case [1, 2]; in [a, b] if a > 0; "yes"; end')
+  end
+
+  def test_pattern_matching_guard_with_hash_pattern
+    assert_equal "alice", @box.eval('case({name: "alice"}); in {name:} if name.start_with?("a"); name; end')
+  end
+
+  def test_rightward_assignment
+    assert_equal 1, @box.eval('[1, 2] => [a, b]; a')
+  end
+
+  def test_pattern_matching_with_jailed_hash
+    assert_equal "an article title", @box.eval('case @data; in {title:}; title; end', { data: { title: "an article title" } })
+  end
+
+  def test_hash_shorthand
+    # TODO: Remove the check once Ruby 3.1 is the minimum
+    if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.1')
+      assert_equal({ a: 1, b: 2 }, @box.eval('a = 1; b = 2; { a:, b: }'))
+    end
+  end
+
+  def test_endless_range
+    assert_equal [3, 4, 5], @box.eval('[1,2,3,4,5][2..]')
+  end
+
+  def test_beginless_range
+    assert_equal [1, 2, 3], @box.eval('[1,2,3,4,5][..2]')
+  end
+
+  # attrasgn (@article.status = val) is blocked at parse time
+  def test_attrasgn_is_blocked
+    assert_raise(Safemode::SecurityError) { @box.eval('@article.status = "new_value"', @assigns) }
+  end
+
+  def test_safe_attrasgn_is_blocked
+    assert_raise(Safemode::SecurityError) { @box.eval('@article&.status = "new_value"', @assigns) }
+  end
+
+  # op_asgn2 (@article.status ||= val) is NOT blocked at parse time.
+  # NOTE: .to_jail is not inserted on the receiver, so the setter is called
+  # directly on the real object, bypassing the Jail whitelist.
+  def test_op_asgn2_bypasses_jail
+    article = Article.new
+    assert_nil article.status
+    @box.eval('@article.status ||= "new_value"', { article: article })
+    assert_equal "new_value", article.status
+  end
+
+  def test_safe_op_asgn2_bypasses_jail
+    article = Article.new
+    assert_nil article.status
+    @box.eval('@article&.status ||= "new_value"', { article: article })
+    assert_equal "new_value", article.status
+  end
+
+  def test_lambda_is_blocked
+    assert_raise(Safemode::SecurityError) { @box.eval('-> { 1 }') }
+  end
+
   def test_sending_to_method_missing
     assert_raise_with_message(Safemode::NoMethodError, /#no_such_method/) do
       @box.eval("@article.no_such_method('arg', key: 'value')", @assigns)
     end
   end
 
+  if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.2')
+    def test_pattern_matching_with_data_subclass
+      point_class = Data.define(:x, :y)
+      point = point_class.new(x: 10, y: 20)
+      assert_equal 10, @box.eval('case @point; in {x:}; x; end', { point: point })
+    end
+
+    def test_data_subclass_inherits_data_jail
+      point_class = Data.define(:x, :y)
+      point = point_class.new(x: 10, y: 20)
+      assert_equal [:x, :y], @box.eval('@point.members', { point: point })
+      assert_equal [10, 20], @box.eval('@point.deconstruct', { point: point })
+      assert_equal({ x: 10 }, @box.eval('@point.deconstruct_keys([:x])', { point: point }))
+    end
+
+    def test_data_subclass_jail_blocks_non_whitelisted_methods
+      point_class = Data.define(:x, :y)
+      point = point_class.new(x: 10, y: 20)
+      assert_raise(Safemode::NoMethodError) { @box.eval('@point.instance_variables', { point: point }) }
+    end
+  end
+
   TestHelper.no_method_error_raising_calls.each do |call|
-    call.gsub!('"', '\\\\"')
     class_eval %Q(
       def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_no_method
-        assert_raise_no_method "#{call}", @assigns, @locals
+        assert_raise_no_method "#{call.gsub('"', '\\\\"')}", @assigns, @locals
       end
     )
   end
 
   TestHelper.security_error_raising_calls.each do |call|
-    call.gsub!('"', '\\\\"')
     class_eval %Q(
       def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
-        assert_raise_security "#{call}", @assigns, @locals
+        assert_raise_security "#{call.gsub('"', '\\\\"')}", @assigns, @locals
       end
     )
   end

data/test/test_safemode_parser.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require File.join(File.dirname(__FILE__), 'test_helper')
 
 class TestSafemodeParser < Test::Unit::TestCase
@@ -65,6 +67,107 @@ class TestSafemodeParser < Test::Unit::TestCase
     end
   end
 
+  def test_safe_attrasgn_is_disabled
+    assert_raise Safemode::SecurityError do
+      jail('@article&.title = "new_value"')
+    end
+  end
+
+  def test_safe_op_asgn2_is_allowed
+    assert_nothing_raised do
+      jail('@article&.title ||= "new_value"')
+    end
+  end
+
+  def test_lambda_is_disabled
+    assert_raise Safemode::SecurityError do
+      jail('-> { 1 }')
+    end
+  end
+
+  def test_case_in_with_literal
+    jailed = jail("case x; in 1; \"one\"; in 2; \"two\"; end")
+    assert_match(/in 1 then/, jailed)
+    assert_match(/in 2 then/, jailed)
+    assert_match(/to_jail\.x/, jailed)
+  end
+
+  def test_case_in_with_array_pattern
+    jailed = jail("case x; in [a, b]; a; end")
+    assert_match(/in \[a, b\] then/, jailed)
+    assert_no_match(/\^a/, jailed)
+  end
+
+  def test_case_in_with_hash_pattern
+    jailed = jail("case x; in {name:}; name; end")
+    assert_match(/in \{ name: \} then/, jailed)
+    assert_no_match(/\^name/, jailed)
+  end
+
+  def test_case_in_with_find_pattern
+    jailed = jail("case x; in [*, 2, *]; \"found\"; end")
+    assert_match(/in \[\*, 2, \*\] then/, jailed)
+  end
+
+  def test_case_in_pin_operator
+    jailed = jail("y = 1; case x; in ^y; true; end")
+    assert_match(/in \^y then/, jailed)
+  end
+
+  def test_case_in_body_does_not_pin_variables
+    jailed = jail("case x; in [a, b]; a; end")
+    lines = jailed.lines
+    body_start = lines.index { |l| l.match?(/^in \[/) } + 1
+    lines[body_start..].each { |line| assert_no_match(/\^[a-z]/, line) }
+  end
+
+  def test_case_in_multiple_clauses
+    jailed = jail("case x; in [a, b]; a; in {c:}; c; end")
+    assert_match(/in \[a, b\] then/, jailed)
+    assert_match(/in \{ c: \} then/, jailed)
+  end
+
+  def test_case_in_with_if_guard
+    jailed = jail("case x; in 1 if true; \"matched\"; end")
+    assert_match(/in 1 if true then/, jailed)
+  end
+
+  def test_case_in_with_unless_guard
+    jailed = jail("case x; in 1 unless false; \"matched\"; end")
+    assert_match(/in 1 unless false then/, jailed)
+  end
+
+  def test_case_in_guard_does_not_pin_variables
+    jailed = jail("case x; in [a, b] if a; a; end")
+    guard_line = jailed.lines.find { |l| l.match?(/^in \[/) }
+    assert_match(/if a then/, guard_line)
+    assert_no_match(/\^a/, guard_line)
+  end
+
+  def test_case_in_guard_jails_method_calls
+    jailed = jail('case x; in {name: n} if n.start_with?("a"); n; end')
+    assert_match(/if n\.to_jail\.start_with\?/, jailed)
+  end
+
+  def test_rightward_assignment
+    jailed = jail("x => a")
+    assert_match(/case to_jail\.x/, jailed)
+    assert_match(/in a then/, jailed)
+  end
+
+  def test_hash_shorthand_in_literal
+    jailed = jail("a = 1; b = 2; { a:, b: }")
+    assert_match(/a:,/, jailed)
+  end
+
+  def test_endless_range
+    assert_jailed "(1..)", "(1..)"
+  end
+
+  def test_beginless_range
+    assert_jailed "(..5)", "(..5)"
+  end
+
 private
 
   def assert_jailed(expected, code)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: safemode
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Sven Fuchs
@@ -10,112 +10,110 @@ authors:
 - Kingsley Hendrickse
 - Ohad Levy
 - Dmitri Dolguikh
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-19 00:00:00.000000000 Z
+date: 2026-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby2ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.4.0
+        version: '2.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.4.0
+        version: '2.4'
 - !ruby/object:Gem::Dependency
-  name: ruby_parser
+  name: prism
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.10.1
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.10.1
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.10.0
+        version: '4.10'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.10.0
+        version: '4.10'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '13.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '13.4'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '7.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '7.2'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.22'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.22'
 - !ruby/object:Gem::Dependency
   name: test-unit
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.7'
 description: A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby.
   Provides Rails ActionView template handlers for ERB and Haml.
-email:
 executables: []
 extensions: []
 extra_rdoc_files:
@@ -150,7 +148,6 @@ homepage: https://github.com/svenfuchs/safemode
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -158,19 +155,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.7'
+      version: '3.0'
   - - "<"
     - !ruby/object:Gem::Version
-      version: '3.2'
+      version: '3.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 4.0.10
 specification_version: 4
-summary: A library for safe evaluation of Ruby code based on ParseTree/RubyParser
-  and Ruby2Ruby
+summary: A library for safe evaluation of Ruby code based on Prism and Ruby2Ruby
 test_files: []