RubyGems - secvault - Versions diffs - 3.2.0 → 3.3.0 - Mend

secvault 3.2.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ff511b4da4c277844438956507222da90bd15416fd8e4adec1e973a4e5b73993
-  data.tar.gz: 45219a2e917ac366af2c94c8a848cc5557219b4856daab6fcd870d19898d1685
+  metadata.gz: 710d3e06fdda8db93c2e7ca401e8eaa9aa973b5c350dba8773a15a41458c71df
+  data.tar.gz: 123cf43f089b2880f4c80035253510c97aaff711193c41e40b768605702a06db
 SHA512:
-  metadata.gz: 45e5d96b9eaa32ea9396921451dfb2ed148e485992236ae45bf58acf9a380869cde8df8b3e93e621cdfe1bcd9710f4eccbeaee3880fa5436c73e336d063d866f
-  data.tar.gz: db91a660ae62430a0c27f311bd512d964efc485f4a224e42f958b9215d31c9c553db765b638b622413b18c9b236ab6865d14328594f8d6ab726452484eddc767
+  metadata.gz: 257a70771cad2fe8581071a9aad9a3abc18fabf176d1ed902fd9962657a8a15a1e8a8d966b9a00912e4aa58eb129f4e1d3ba754d6e319aab4c2f0d05ffcd5a31
+  data.tar.gz: 5783d0e4fa433d1beb8984e7d8a7d5946502249b4449e5e6ba97f2eedadf1063ec1982e11327757ee593aa9198a3203461ee1a59f3cb01356b1a800ba0aadbd7

data/lib/secvault/secrets.rb CHANGED Viewed

@@ -6,9 +6,37 @@ require "active_support/ordered_options"
 require "pathname"
 require "erb"
 require "yaml"
+require "bigdecimal"
+require "date"
 module Secvault
   class Secrets
+    # Define permitted classes for YAML.safe_load - commonly used in Rails secrets
+    PERMITTED_YAML_CLASSES = [
+      Symbol,
+      Date,
+      Time,
+      DateTime,
+      BigDecimal,
+      Range,
+      Regexp
+    ].tap do |classes|
+      # Add ActiveSupport classes if available
+      begin
+        require "active_support/time_with_zone"
+        classes << ActiveSupport::TimeWithZone
+      rescue LoadError
+        # ActiveSupport not available, skip
+      end
+      begin
+        require "active_support/duration"
+        classes << ActiveSupport::Duration
+      rescue LoadError
+        # ActiveSupport not available, skip
+      end
+    end.freeze
     class << self
       def setup(app)
         # Auto-setup for all Rails versions with consistent behavior
@@ -68,7 +96,7 @@ module Secvault
           # Process ERB and parse YAML - using same method as Rails
           erb_result = ERB.new(source).result
-          secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.load(erb_result)
+          secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.safe_load(erb_result, aliases: true, permitted_classes: PERMITTED_YAML_CLASSES)
           secrets ||= {}
@@ -81,7 +109,7 @@ module Secvault
         if secrets_path.exist?
           # Handle plain YAML secrets.yml only - using same method as Rails
           erb_result = ERB.new(secrets_path.read).result
-          all_secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.load(erb_result)
+          all_secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.safe_load(erb_result, aliases: true, permitted_classes: PERMITTED_YAML_CLASSES)
           env_secrets = all_secrets[env.to_s]
           return env_secrets.deep_symbolize_keys if env_secrets

data/lib/secvault/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Secvault
-  VERSION = "3.2.0"
+  VERSION = "3.3.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.3.0
 platform: ruby
 authors:
 - Unnikrishnan KP