Merge pull request #777 from mastahyeti/safe_yaml

Safe YAML

jekyll.gemspec

@@ -30,6 +30,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency('kramdown', "~> 0.13.4")
   s.add_runtime_dependency('pygments.rb', "~> 0.3.2")
   s.add_runtime_dependency('commander', "~> 4.1.3")
+  s.add_runtime_dependency('safe_yaml', "~> 0.4")
 
   s.add_development_dependency('rake', "~> 0.9")
   s.add_development_dependency('rdoc', "~> 3.11")

lib/jekyll.rb

@@ -18,7 +18,7 @@ require 'rubygems'
 # stdlib
 require 'fileutils'
 require 'time'
-require 'yaml'
+require 'safe_yaml'
 require 'English'
 
 # 3rd party

lib/jekyll/migrators/drupal.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 
 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL

lib/jekyll/migrators/joomla.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 
 # NOTE: This migrator is made for Joomla 1.5 databases.
 # NOTE: This converter requires Sequel and the MySQL gems.

lib/jekyll/migrators/marley.rb

@@ -1,4 +1,4 @@
-require 'yaml'
+require 'safe_yaml'
 require 'fileutils'
 
 module Jekyll

lib/jekyll/migrators/mt.rb

@@ -5,7 +5,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 
 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL

lib/jekyll/migrators/rss.rb

@@ -13,7 +13,7 @@ require 'rss/1.0'
 require 'rss/2.0'
 require 'open-uri'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 
 module Jekyll
   module MigrateRSS

lib/jekyll/migrators/textpattern.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 
 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL

lib/jekyll/migrators/typo.rb

@@ -2,7 +2,7 @@
 require 'fileutils'
 require 'rubygems'
 require 'sequel'
-require 'yaml'
+require 'safe_yaml'
 
 module Jekyll
   module Typo

lib/jekyll/migrators/wordpress.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 require 'sequel'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 
 # NOTE: This converter requires Sequel and the MySQL gems.
 # The MySQL gem can be difficult to install on OS X. Once you have MySQL

lib/jekyll/migrators/wordpressdotcom.rb

@@ -3,7 +3,7 @@
 require 'rubygems'
 require 'hpricot'
 require 'fileutils'
-require 'yaml'
+require 'safe_yaml'
 require 'time'
 
 module Jekyll

test/fixtures/exploit_front_matter.erb

@@ -0,0 +1,4 @@
+---
+test: !ruby/hash:DoesNotExist {}
+---
+Real content starts here

test/test_convertible.rb

@@ -29,6 +29,13 @@ class TestConvertible < Test::Unit::TestCase
       assert_match(/#{File.join(@base, name)}/, out)
     end
 
+    should "not allow ruby objects in yaml" do
+      out = capture_stdout do
+        @convertible.read_yaml(@base, 'exploit_front_matter.erb')
+      end
+      assert_no_match /undefined class\/module DoesNotExist/, out
+    end
+
     if RUBY_VERSION >= '1.9.2'
       should "not parse if there is encoding error in file" do
         name = 'broken_front_matter3.erb'