adding safe_yaml to protect against object instantiation from yaml

2013-01-23 11:30:24 -06:00 · 2013-01-23 11:30:24 -06:00 · 1528cfe1cd
parent c85d834036
commit 1528cfe1cd
12 changed files with 18 additions and 10 deletions
--- a/jekyll.gemspec
+++ b/jekyll.gemspec
@ -30,6 +30,7 @@ Gem::Specification.new do |s|
  s.add_runtime_dependency('kramdown', "~> 0.13.4")
  s.add_runtime_dependency('pygments.rb', "~> 0.3.2")
  s.add_runtime_dependency('commander', "~> 4.1.3")
+  s.add_runtime_dependency('safe_yaml', "~> 0.4")

  s.add_development_dependency('rake', "~> 0.9")
  s.add_development_dependency('rdoc', "~> 3.11")
--- a/lib/jekyll.rb
+++ b/lib/jekyll.rb
@ -18,7 +18,7 @@ require 'rubygems'
 # stdlib
 require 'fileutils'
 require 'time'
-require 'yaml'
+require 'safe_yaml'
 require 'English'

 # 3rd party
--- a/lib/jekyll/migrators/drupal.rb
+++ b/lib/jekyll/migrators/drupal.rb
@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'

 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL
--- a/lib/jekyll/migrators/joomla.rb
+++ b/lib/jekyll/migrators/joomla.rb
@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'

 # NOTE: This migrator is made for Joomla 1.5 databases.
 # NOTE: This converter requires Sequel and the MySQL gems.
--- a/lib/jekyll/migrators/marley.rb
+++ b/lib/jekyll/migrators/marley.rb
@ -1,4 +1,4 @@
-require 'yaml'
+require 'safe_yaml'
 require 'fileutils'

 module Jekyll
--- a/lib/jekyll/migrators/mt.rb
+++ b/lib/jekyll/migrators/mt.rb
@ -5,7 +5,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'

 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL
--- a/lib/jekyll/migrators/rss.rb
+++ b/lib/jekyll/migrators/rss.rb
@ -13,7 +13,7 @@ require 'rss/1.0'
 require 'rss/2.0'
 require 'open-uri'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'

 module Jekyll
  module MigrateRSS
--- a/lib/jekyll/migrators/textpattern.rb
+++ b/lib/jekyll/migrators/textpattern.rb
@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'

 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL
--- a/lib/jekyll/migrators/typo.rb
+++ b/lib/jekyll/migrators/typo.rb
@ -2,7 +2,7 @@
 require 'fileutils'
 require 'rubygems'
 require 'sequel'
-require 'yaml'
+require 'safe_yaml'

 module Jekyll
  module Typo
--- a/lib/jekyll/migrators/wordpress.rb
+++ b/lib/jekyll/migrators/wordpress.rb
@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'

 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL
--- a/lib/jekyll/migrators/wordpressdotcom.rb
+++ b/lib/jekyll/migrators/wordpressdotcom.rb
@ -3,7 +3,7 @@
 require 'rubygems'
 require 'hpricot'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 require 'time'

 module Jekyll
--- a/test/test_convertible.rb
+++ b/test/test_convertible.rb
@ -29,6 +29,13 @@ class TestConvertible < Test::Unit::TestCase
      assert_match(/#{File.join(@base, name)}/, out)
    end

+    should "not allow ruby objects in yaml" do
+      out = capture_stdout do
+        @convertible.read_yaml(@base, 'exploit_front_matter.erb')
+      end
+      assert_no_match /undefined class\/module DoesNotExist/, out
+    end
+
    if RUBY_VERSION >= '1.9.2'
      should "not parse if there is encoding error in file" do
        name = 'broken_front_matter3.erb'