From 1528cfe1cdfe96bcbd4a0caf02dcf6ba0faed813 Mon Sep 17 00:00:00 2001 From: Ben Toews Date: Wed, 23 Jan 2013 11:30:24 -0600 Subject: [PATCH] adding safe_yaml to protect against object instantiation from yaml --- jekyll.gemspec | 1 + lib/jekyll.rb | 2 +- lib/jekyll/migrators/drupal.rb | 2 +- lib/jekyll/migrators/joomla.rb | 2 +- lib/jekyll/migrators/marley.rb | 2 +- lib/jekyll/migrators/mt.rb | 2 +- lib/jekyll/migrators/rss.rb | 2 +- lib/jekyll/migrators/textpattern.rb | 2 +- lib/jekyll/migrators/typo.rb | 2 +- lib/jekyll/migrators/wordpress.rb | 2 +- lib/jekyll/migrators/wordpressdotcom.rb | 2 +- test/test_convertible.rb | 7 +++++++ 12 files changed, 18 insertions(+), 10 deletions(-) diff --git a/jekyll.gemspec b/jekyll.gemspec index 0de0c969..86cbd1e8 100644 --- a/jekyll.gemspec +++ b/jekyll.gemspec @@ -30,6 +30,7 @@ Gem::Specification.new do |s| s.add_runtime_dependency('kramdown', "~> 0.13.4") s.add_runtime_dependency('pygments.rb', "~> 0.3.2") s.add_runtime_dependency('commander', "~> 4.1.3") + s.add_runtime_dependency('safe_yaml', "~> 0.4") s.add_development_dependency('rake', "~> 0.9") s.add_development_dependency('rdoc', "~> 3.11") diff --git a/lib/jekyll.rb b/lib/jekyll.rb index 477247dd..2c1ab0e6 100644 --- a/lib/jekyll.rb +++ b/lib/jekyll.rb @@ -18,7 +18,7 @@ require 'rubygems' # stdlib require 'fileutils' require 'time' -require 'yaml' +require 'safe_yaml' require 'English' # 3rd party diff --git a/lib/jekyll/migrators/drupal.rb b/lib/jekyll/migrators/drupal.rb index 7fd16aef..6acd5de0 100644 --- a/lib/jekyll/migrators/drupal.rb +++ b/lib/jekyll/migrators/drupal.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/joomla.rb b/lib/jekyll/migrators/joomla.rb index 87f1e105..c7e72476 100644 --- a/lib/jekyll/migrators/joomla.rb +++ b/lib/jekyll/migrators/joomla.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This migrator is made for Joomla 1.5 databases. # NOTE: This converter requires Sequel and the MySQL gems. diff --git a/lib/jekyll/migrators/marley.rb b/lib/jekyll/migrators/marley.rb index 21bcead5..3aa74f49 100644 --- a/lib/jekyll/migrators/marley.rb +++ b/lib/jekyll/migrators/marley.rb @@ -1,4 +1,4 @@ -require 'yaml' +require 'safe_yaml' require 'fileutils' module Jekyll diff --git a/lib/jekyll/migrators/mt.rb b/lib/jekyll/migrators/mt.rb index 048c84db..09d89a79 100644 --- a/lib/jekyll/migrators/mt.rb +++ b/lib/jekyll/migrators/mt.rb @@ -5,7 +5,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/rss.rb b/lib/jekyll/migrators/rss.rb index 461abd35..fec3d07c 100644 --- a/lib/jekyll/migrators/rss.rb +++ b/lib/jekyll/migrators/rss.rb @@ -13,7 +13,7 @@ require 'rss/1.0' require 'rss/2.0' require 'open-uri' require 'fileutils' -require 'yaml' +require 'safe_yaml' module Jekyll module MigrateRSS diff --git a/lib/jekyll/migrators/textpattern.rb b/lib/jekyll/migrators/textpattern.rb index 3b370ed9..9eca2530 100644 --- a/lib/jekyll/migrators/textpattern.rb +++ b/lib/jekyll/migrators/textpattern.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/typo.rb b/lib/jekyll/migrators/typo.rb index adb8be96..0bf58456 100644 --- a/lib/jekyll/migrators/typo.rb +++ b/lib/jekyll/migrators/typo.rb @@ -2,7 +2,7 @@ require 'fileutils' require 'rubygems' require 'sequel' -require 'yaml' +require 'safe_yaml' module Jekyll module Typo diff --git a/lib/jekyll/migrators/wordpress.rb b/lib/jekyll/migrators/wordpress.rb index 61e00ad1..8d0ecf71 100644 --- a/lib/jekyll/migrators/wordpress.rb +++ b/lib/jekyll/migrators/wordpress.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/wordpressdotcom.rb b/lib/jekyll/migrators/wordpressdotcom.rb index 286c302f..bf423384 100644 --- a/lib/jekyll/migrators/wordpressdotcom.rb +++ b/lib/jekyll/migrators/wordpressdotcom.rb @@ -3,7 +3,7 @@ require 'rubygems' require 'hpricot' require 'fileutils' -require 'yaml' +require 'safe_yaml' require 'time' module Jekyll diff --git a/test/test_convertible.rb b/test/test_convertible.rb index 82e4d27f..3940f030 100644 --- a/test/test_convertible.rb +++ b/test/test_convertible.rb @@ -29,6 +29,13 @@ class TestConvertible < Test::Unit::TestCase assert_match(/#{File.join(@base, name)}/, out) end + should "not allow ruby objects in yaml" do + out = capture_stdout do + @convertible.read_yaml(@base, 'exploit_front_matter.erb') + end + assert_no_match /undefined class\/module DoesNotExist/, out + end + if RUBY_VERSION >= '1.9.2' should "not parse if there is encoding error in file" do name = 'broken_front_matter3.erb'