diff --git a/lib/puppet.rb b/lib/puppet.rb index bce58d727..d4eb2bf58 100644 --- a/lib/puppet.rb +++ b/lib/puppet.rb @@ -1,265 +1,261 @@ require 'puppet/version' # see the bottom of the file for further inclusions # Also see the new Vendor support - towards the end # require 'facter' require 'puppet/error' require 'puppet/util' require 'puppet/util/autoload' require 'puppet/settings' require 'puppet/util/feature' require 'puppet/util/suidmanager' require 'puppet/util/run_mode' require 'puppet/external/pson/common' require 'puppet/external/pson/version' require 'puppet/external/pson/pure' #------------------------------------------------------------ # the top-level module # # all this really does is dictate how the whole system behaves, through # preferences for things like debugging # # it's also a place to find top-level commands like 'debug' # The main Puppet class. Everything is contained here. # # @api public module Puppet require 'puppet/file_system' require 'puppet/context' require 'puppet/environments' class << self include Puppet::Util attr_reader :features end # the hash that determines how our system behaves @@settings = Puppet::Settings.new # Note: It's important that these accessors (`self.settings`, `self.[]`) are # defined before we try to load any "features" (which happens a few lines below), # because the implementation of the features loading may examine the values of # settings. def self.settings @@settings end # Get the value for a setting # # @param [Symbol] param the setting to retrieve # # @api public def self.[](param) if param == :debug return Puppet::Util::Log.level == :debug else return @@settings[param] end end require 'puppet/util/logging' extend Puppet::Util::Logging # The feature collection @features = Puppet::Util::Feature.new('puppet/feature') # Load the base features. require 'puppet/feature/base' # Store a new default value. def self.define_settings(section, hash) @@settings.define_settings(section, hash) end # setting access and stuff def self.[]=(param,value) @@settings[param] = value end def self.clear @@settings.clear end def self.debug=(value) if value Puppet::Util::Log.level=(:debug) else Puppet::Util::Log.level=(:notice) end end def self.run_mode # This sucks (the existence of this method); there are a lot of places in our code that branch based the value of # "run mode", but there used to be some really confusing code paths that made it almost impossible to determine # when during the lifecycle of a puppet application run the value would be set properly. A lot of the lifecycle # stuff has been cleaned up now, but it still seems frightening that we rely so heavily on this value. # # I'd like to see about getting rid of the concept of "run_mode" entirely, but there are just too many places in # the code that call this method at the moment... so I've settled for isolating it inside of the Settings class # (rather than using a global variable, as we did previously...). Would be good to revisit this at some point. # # --cprice 2012-03-16 Puppet::Util::RunMode[@@settings.preferred_run_mode] end # Load all of the settings. require 'puppet/defaults' # Parse the config file for this process. # @deprecated Use {initialize_settings} def self.parse_config() Puppet.deprecation_warning("Puppet.parse_config is deprecated; please use Faces API (which will handle settings and state management for you), or (less desirable) call Puppet.initialize_settings") Puppet.initialize_settings end # Initialize puppet's settings. This is intended only for use by external tools that are not # built off of the Faces API or the Puppet::Util::Application class. It may also be used # to initialize state so that a Face may be used programatically, rather than as a stand-alone # command-line tool. # # @api public # @param args [Array] the command line arguments to use for initialization # @return [void] def self.initialize_settings(args = []) do_initialize_settings_for_run_mode(:user, args) end # Initialize puppet's settings for a specified run_mode. # # @deprecated Use {initialize_settings} def self.initialize_settings_for_run_mode(run_mode) Puppet.deprecation_warning("initialize_settings_for_run_mode may be removed in a future release, as may run_mode itself") do_initialize_settings_for_run_mode(run_mode, []) end # private helper method to provide the implementation details of initializing for a run mode, # but allowing us to control where the deprecation warning is issued def self.do_initialize_settings_for_run_mode(run_mode, args) Puppet.settings.initialize_global_settings(args) run_mode = Puppet::Util::RunMode[run_mode] Puppet.settings.initialize_app_defaults(Puppet::Settings.app_defaults_for_run_mode(run_mode)) Puppet.push_context(Puppet.base_context(Puppet.settings), "Initial context after settings initialization") Puppet::Parser::Functions.reset end private_class_method :do_initialize_settings_for_run_mode # Create a new type. Just proxy to the Type class. The mirroring query # code was deprecated in 2008, but this is still in heavy use. I suppose # this can count as a soft deprecation for the next dev. --daniel 2011-04-12 def self.newtype(name, options = {}, &block) Puppet::Type.newtype(name, options, &block) end # Load vendored (setup paths, and load what is needed upfront). # See the Vendor class for how to add additional vendored gems/code require "puppet/vendor" Puppet::Vendor.load_vendored - # Set default for YAML.load to unsafe so we don't affect programs - # requiring puppet -- in puppet we will call safe explicitly - SafeYAML::OPTIONS[:default_mode] = :unsafe - # The bindings used for initialization of puppet # @api private def self.base_context(settings) environments = settings[:environmentpath] modulepath = Puppet::Node::Environment.split_path(settings[:basemodulepath]) if environments.empty? loaders = [Puppet::Environments::Legacy.new] else loaders = Puppet::Environments::Directories.from_path(environments, modulepath) # in case the configured environment (used for the default sometimes) # doesn't exist default_environment = Puppet[:environment].to_sym if default_environment == :production loaders << Puppet::Environments::StaticPrivate.new( Puppet::Node::Environment.create(Puppet[:environment].to_sym, [], Puppet::Node::Environment::NO_MANIFEST)) end end { :environments => Puppet::Environments::Cached.new(*loaders), :http_pool => proc { require 'puppet/network/http' Puppet::Network::HTTP::NoCachePool.new } } end # A simple set of bindings that is just enough to limp along to # initialization where the {base_context} bindings are put in place # @api private def self.bootstrap_context root_environment = Puppet::Node::Environment.create(:'*root*', [], Puppet::Node::Environment::NO_MANIFEST) { :current_environment => root_environment, :root_environment => root_environment } end # @param overrides [Hash] A hash of bindings to be merged with the parent context. # @param description [String] A description of the context. # @api private def self.push_context(overrides, description = "") @context.push(overrides, description) end # Return to the previous context. # @raise [StackUnderflow] if the current context is the root # @api private def self.pop_context @context.pop end # Lookup a binding by name or return a default value provided by a passed block (if given). # @api private def self.lookup(name, &block) @context.lookup(name, &block) end # @param bindings [Hash] A hash of bindings to be merged with the parent context. # @param description [String] A description of the context. # @yield [] A block executed in the context of the temporarily pushed bindings. # @api private def self.override(bindings, description = "", &block) @context.override(bindings, description, &block) end # @api private def self.mark_context(name) @context.mark(name) end # @api private def self.rollback_context(name) @context.rollback(name) end require 'puppet/node' # The single instance used for normal operation @context = Puppet::Context.new(bootstrap_context) end # This feels weird to me; I would really like for us to get to a state where there is never a "require" statement # anywhere besides the very top of a file. That would not be possible at the moment without a great deal of # effort, but I think we should strive for it and revisit this at some point. --cprice 2012-03-16 require 'puppet/indirector' require 'puppet/type' require 'puppet/resource' require 'puppet/parser' require 'puppet/network' require 'puppet/ssl' require 'puppet/module' require 'puppet/data_binding' require 'puppet/util/storage' require 'puppet/status' require 'puppet/file_bucket/file' diff --git a/lib/puppet/vendor/require_vendored.rb b/lib/puppet/vendor/require_vendored.rb index d9f38fabc..d4e0fac0f 100644 --- a/lib/puppet/vendor/require_vendored.rb +++ b/lib/puppet/vendor/require_vendored.rb @@ -1,9 +1,6 @@ # This adds upfront requirements on vendored code found under lib/vendor/x # Add one requirement per vendored package (or a comment if it is loaded on demand). -require 'safe_yaml' -require 'puppet/vendor/safe_yaml_patches' - # The vendored library 'semantic' is loaded on demand. # The vendored library 'rgen' is loaded on demand. # The vendored library 'pathspec' is loaded on demand. diff --git a/lib/puppet/vendor/safe_yaml/.gitignore b/lib/puppet/vendor/safe_yaml/.gitignore deleted file mode 100644 index c6067bf39..000000000 --- a/lib/puppet/vendor/safe_yaml/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -Gemfile.lock -dist/ diff --git a/lib/puppet/vendor/safe_yaml/.travis.yml b/lib/puppet/vendor/safe_yaml/.travis.yml deleted file mode 100644 index ec42077cd..000000000 --- a/lib/puppet/vendor/safe_yaml/.travis.yml +++ /dev/null @@ -1,47 +0,0 @@ -language: - ruby - -before_install: - gem install bundler - -script: - bundle exec rake spec - -rvm: - - ruby-head - - 2.0.0 - - 1.9.3 - - 1.9.2 - - 1.8.7 - - rbx-19mode - - rbx-18mode - - jruby-head - - jruby-19mode - - jruby-18mode - - ree - -env: - - YAMLER=syck - - YAMLER=psych - -matrix: - allow_failures: - - rvm: ruby-head - - rvm: rbx-19mode - - rvm: rbx-18mode - - rvm: ree - - exclude: - - rvm: 1.8.7 - env: YAMLER=psych - - rvm: jruby-head - env: YAMLER=syck - - rvm: jruby-19mode - env: YAMLER=syck - - rvm: jruby-18mode - env: YAMLER=syck - -branches: - only: - - master - diff --git a/lib/puppet/vendor/safe_yaml/CHANGES.md b/lib/puppet/vendor/safe_yaml/CHANGES.md deleted file mode 100644 index 4dff37d5c..000000000 --- a/lib/puppet/vendor/safe_yaml/CHANGES.md +++ /dev/null @@ -1,104 +0,0 @@ -0.9.2 ------ - -- fixed error w/ parsing "!" when whitelisting tags -- fixed parsing of the number 0 (d'oh!) - -0.9.1 ------ - -- added Yecht support (JRuby) -- more bug fixes - -0.9.0 ------ - -- added `whitelist!` method for easily whitelisting tags -- added support for call-specific options -- removed deprecated methods - -0.8.6 ------ - -- fixed bug in float matcher - -0.8.5 ------ - -- performance improvements -- made less verbose by default -- bug fixes - -0.8.4 ------ - -- enhancements to parsing of integers, floats, and dates -- updated built-in whitelist -- more bug fixes - -0.8.3 ------ - -- fixed exception on parsing empty document -- fixed handling of octal & hexadecimal numbers - -0.8.2 ------ - -- bug fixes - -0.8.1 ------ - -- added `:raise_on_unknown_tag` option -- renamed `reset_defaults!` to `restore_defaults!` - -0.8 ---- - -- added tag whitelisting -- more API changes - -0.7 ---- - -- separated YAML engine support from Ruby version -- added support for binary scalars -- numerous bug fixes and enhancements - -0.6 ---- - -- several API changes -- added `SafeYAML::OPTIONS` for specifying default behavior - -0.5 ---- - -Added support for dates - -0.4 ---- - -- efficiency improvements -- made `YAML.load` use `YAML.safe_load` by default -- made symbol deserialization optional - -0.3 ---- - -Added Syck support - -0.2 ---- - -Added support for: - -- anchors & aliases -- booleans -- nils - -0.1 ---- - -Initial release diff --git a/lib/puppet/vendor/safe_yaml/Gemfile b/lib/puppet/vendor/safe_yaml/Gemfile deleted file mode 100644 index 24d7e3e5c..000000000 --- a/lib/puppet/vendor/safe_yaml/Gemfile +++ /dev/null @@ -1,11 +0,0 @@ -source "https://rubygems.org" - -gemspec - -group :development do - gem "hashie" - gem "heredoc_unindent" - gem "rake" - gem "rspec" - gem "travis-lint" -end diff --git a/lib/puppet/vendor/safe_yaml/LICENSE.txt b/lib/puppet/vendor/safe_yaml/LICENSE.txt deleted file mode 100644 index 4b276dd15..000000000 --- a/lib/puppet/vendor/safe_yaml/LICENSE.txt +++ /dev/null @@ -1,22 +0,0 @@ -Copyright (c) 2013 Dan Tao - -MIT License - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/lib/puppet/vendor/safe_yaml/PUPPET_README.md b/lib/puppet/vendor/safe_yaml/PUPPET_README.md deleted file mode 100644 index 55be8867c..000000000 --- a/lib/puppet/vendor/safe_yaml/PUPPET_README.md +++ /dev/null @@ -1,6 +0,0 @@ -SafeYAML -============================================= - -safe_yaml version 0.9.2 - -Copied from https://github.com/dtao/safe_yaml/tree/c5591b790472f7db413aaa28716f86ddf4929f48 diff --git a/lib/puppet/vendor/safe_yaml/README.md b/lib/puppet/vendor/safe_yaml/README.md deleted file mode 100644 index 58b39c071..000000000 --- a/lib/puppet/vendor/safe_yaml/README.md +++ /dev/null @@ -1,179 +0,0 @@ -SafeYAML -======== - -[![Build Status](https://travis-ci.org/dtao/safe_yaml.png)](http://travis-ci.org/dtao/safe_yaml) - -The **SafeYAML** gem provides an alternative implementation of `YAML.load` suitable for accepting user input in Ruby applications. Unlike Ruby's built-in implementation of `YAML.load`, SafeYAML's version will not expose apps to arbitrary code execution exploits (such as [the ones discovered](http://www.reddit.com/r/netsec/comments/167c11/serious_vulnerability_in_ruby_on_rails_allowing/) [in Rails in early 2013](http://www.h-online.com/open/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html)). - -**If you encounter any issues with SafeYAML, check out the 'Common Issues' section below.** If you don't see anything that addresses the problem you're experiencing, by all means, [create an issue](https://github.com/dtao/safe_yaml/issues/new)! - -Installation ------------- - -Add this line to your application's Gemfile: - - gem "safe_yaml" - -And then execute: - - $ bundle - -Or install it yourself as: - - $ gem install safe_yaml - -Configuration -------------- - -Configuring SafeYAML should be quick. In most cases, you will probably only have to think about two things: - -1. What do you want the `YAML` module's *default* behavior to be? Set the `SafeYAML::OPTIONS[:default_mode]` option to either `:safe` or `:unsafe` to control this. If you do neither, SafeYAML will default to `:safe` mode but will issue a warning the first time you call `YAML.load`. -2. Do you want to allow symbols by default? Set the `SafeYAML::OPTIONS[:deserialize_symbols]` option to `true` or `false` to control this. The default is `false`, which means that SafeYAML will deserialize symbols in YAML documents as strings. - -For more information on these and other options, see the "Usage" section down below. - -Explanation ------------ - -Suppose your application were to use a popular open source library which contained code like this: - -```ruby -class ClassBuilder - def []=(key, value) - @class ||= Class.new - - @class.class_eval <<-EOS - def #{key} - #{value} - end - EOS - end - - def create - @class.new - end -end -``` - -Now, if you were to use `YAML.load` on user input anywhere in your application without the SafeYAML gem installed, an attacker who suspected you were using this library could send a request with a carefully-crafted YAML string to execute arbitrary code (yes, including `system("unix command")`) on your servers. - -This simple example demonstrates the vulnerability: - -```ruby -yaml = <<-EOYAML ---- !ruby/hash:ClassBuilder -"foo; end; puts %(I'm in yr system!); def bar": "baz" -EOYAML -``` - - > YAML.load(yaml) - I'm in yr system! - => #> - -With SafeYAML, the same attacker would be thwarted: - - > require "safe_yaml" - => true - > YAML.load(yaml, :safe => true) - => {"foo; end; puts %(I'm in yr system!); def bar"=>"baz"} - -Usage ------ - -When you require the safe_yaml gem in your project, `YAML.load` is patched to accept one additional (optional) `options` parameter. This changes the method signature as follows: - -- for Syck and Psych prior to Ruby 1.9.3: `YAML.load(yaml, options={})` -- for Psych in 1.9.3 and later: `YAML.load(yaml, filename=nil, options={})` - -The most important option is the `:safe` option (default: `true`), which controls whether or not to deserialize arbitrary objects when parsing a YAML document. The other options, along with explanations, are as follows. - -- `:deserialize_symbols` (default: `false`): Controls whether or not YAML will deserialize symbols. It is probably best to only enable this option where necessary, e.g. to make trusted libraries work. Symbols receive special treatment in Ruby and are not garbage collected, which means deserializing them indiscriminately may render your site vulnerable to a DOS attack (hence `false` as a default value). - -- `:whitelisted_tags`: Accepts an array of YAML tags that designate trusted types, e.g., ones that can be deserialized without worrying about any resulting security vulnerabilities. When any of the given tags are encountered in a YAML document, the associated data will be parsed by the underlying YAML engine (Syck or Psych) for the version of Ruby you are using. See the "Whitelisting Trusted Types" section below for more information. - -- `:custom_initializers`: Similar to the `:whitelisted_tags` option, but allows you to provide your own initializers for specified tags rather than using Syck or Psyck. Accepts a hash with string tags for keys and lambdas for values. - -- `:raise_on_unknown_tag` (default: `false`): Represents the highest possible level of paranoia (not necessarily a bad thing); if the YAML engine encounters any tag other than ones that are automatically trusted by SafeYAML or that you've explicitly whitelisted, it will raise an exception. This may be a good choice if you expect to always be dealing with perfectly safe YAML and want your application to fail loudly upon encountering questionable data. - -All of the above options can be set at the global level via `SafeYAML::OPTIONS`. You can also set each one individually per call to `YAML.load`; an option explicitly passed to `load` will take precedence over an option specified globally. - -Supported Types ---------------- - -The way that SafeYAML works is by restricting the kinds of objects that can be deserialized via `YAML.load`. More specifically, only the following types of objects can be deserialized by default: - -- Hashes -- Arrays -- Strings -- Numbers -- Dates -- Times -- Booleans -- Nils - -Again, deserialization of symbols can be enabled globally by setting `SafeYAML::OPTIONS[:deserialize_symbols] = true`, or in a specific call to `YAML.load([some yaml], :deserialize_symbols => true)`. - -Whitelisting Trusted Types --------------------------- - -SafeYAML supports whitelisting certain YAML tags for trusted types. This is handy when your application uses YAML to serialize and deserialize certain types not listed above, which you know to be free of any deserialization-related vulnerabilities. - -The easiest way to whitelist types is by calling `SafeYAML.whitelist!`, which can accept a variable number of safe types, e.g.: - -```ruby -SafeYAML.whitelist!(FrobDispenser, GobbleFactory) -``` - -You can also whitelist YAML *tags* via the `:whitelisted_tags` option: - -```ruby -# Using Syck -SafeYAML::OPTIONS[:whitelisted_tags] = ["tag:ruby.yaml.org,2002:object:OpenStruct"] - -# Using Psych -SafeYAML::OPTIONS[:whitelisted_tags] = ["!ruby/object:OpenStruct"] -``` - -And in case you were wondering: no, this feature will *not* allow would-be attackers to embed untrusted types within trusted types: - -```ruby -yaml = <<-EOYAML ---- !ruby/object:OpenStruct -table: - :backdoor: !ruby/hash:ClassBuilder - "foo; end; puts %(I'm in yr system!); def bar": "baz" -EOYAML -``` - - > YAML.safe_load(yaml) - => #"baz"}> - -Known Issues ------------- - -If you add SafeYAML to your project and start seeing any errors about missing keys, or you notice mysterious strings that look like `":foo"` (i.e., start with a colon), it's likely you're seeing errors from symbols being saved in YAML format. If you are able to modify the offending code, you might want to consider changing your YAML content to use plain vanilla strings instead of symbols. If not, you may need to set the `:deserialize_symbols` option to `true`, either in calls to `YAML.load` or--as a last resort--globally, with `SafeYAML::OPTIONS[:deserialize_symbols]`. - -Also be aware that some Ruby libraries, particularly those requiring inter-process communication, leverage YAML's object deserialization functionality and therefore may break or otherwise be impacted by SafeYAML. The following list includes known instances of SafeYAML's interaction with other Ruby gems: - -- [**ActiveRecord**](https://github.com/rails/rails/tree/master/activerecord): uses YAML to control serialization of model objects using the `serialize` class method. If you find that accessing serialized properties on your ActiveRecord models is causing errors, chances are you may need to: - 1. set the `:deserialize_symbols` option to `true`, - 2. whitelist some of the types in your serialized data via `SafeYAML.whitelist!` or the `:whitelisted_tags` option, or - 3. both -- [**Guard**](https://github.com/guard/guard): Uses YAML as a serialization format for notifications. The data serialized uses symbolic keys, so setting `SafeYAML::OPTIONS[:deserialize_symbols] = true` is necessary to allow Guard to work. -- [**sidekiq**](https://github.com/mperham/sidekiq): Uses a YAML configiuration file with symbolic keys, so setting `SafeYAML::OPTIONS[:deserialize_symbols] = true` should allow it to work. - -The above list will grow over time, as more issues are discovered. - -Caveat ------- - -My intention is to eventually adopt [semantic versioning](http://semver.org/) with this gem, if it ever gets to version 1.0 (i.e., doesn't become obsolete by then). Since it isn't there yet, that means that API may well change from one version to the next. Please keep that in mind if you are using it in your application. - -To be clear: my *goal* is for SafeYAML to make it as easy as possible to protect existing applications from object deserialization exploits. Any and all feedback is more than welcome! - -Requirements ------------- - -SafeYAML requires Ruby 1.8.7 or newer and works with both [Syck](http://www.ruby-doc.org/stdlib-1.8.7/libdoc/yaml/rdoc/YAML.html) and [Psych](http://github.com/tenderlove/psych). - -If you are using a version of Ruby where Psych is the default YAML engine (e.g., 1.9.3) but you want to use Syck, be sure to set `YAML::ENGINE.yamler = "syck"` **before** requiring the safe_yaml gem. diff --git a/lib/puppet/vendor/safe_yaml/Rakefile b/lib/puppet/vendor/safe_yaml/Rakefile deleted file mode 100644 index 3199194bc..000000000 --- a/lib/puppet/vendor/safe_yaml/Rakefile +++ /dev/null @@ -1,6 +0,0 @@ -require "rspec/core/rake_task" - -desc "Run specs" -RSpec::Core::RakeTask.new(:spec) do |t| - t.rspec_opts = %w(--color) -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml.rb deleted file mode 100644 index 8670acec2..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml.rb +++ /dev/null @@ -1,253 +0,0 @@ -require "yaml" - -# This needs to be defined up front in case any internal classes need to base -# their behavior off of this. -module SafeYAML - YAML_ENGINE = defined?(YAML::ENGINE) ? YAML::ENGINE.yamler : "syck" -end - -require "set" -require "safe_yaml/deep" -require "safe_yaml/parse/hexadecimal" -require "safe_yaml/parse/sexagesimal" -require "safe_yaml/parse/date" -require "safe_yaml/transform/transformation_map" -require "safe_yaml/transform/to_boolean" -require "safe_yaml/transform/to_date" -require "safe_yaml/transform/to_float" -require "safe_yaml/transform/to_integer" -require "safe_yaml/transform/to_nil" -require "safe_yaml/transform/to_symbol" -require "safe_yaml/transform" -require "safe_yaml/resolver" -require "safe_yaml/syck_hack" if defined?(JRUBY_VERSION) - -module SafeYAML - MULTI_ARGUMENT_YAML_LOAD = YAML.method(:load).arity != 1 - - DEFAULT_OPTIONS = Deep.freeze({ - :default_mode => nil, - :suppress_warnings => false, - :deserialize_symbols => false, - :whitelisted_tags => [], - :custom_initializers => {}, - :raise_on_unknown_tag => false - }) - - OPTIONS = Deep.copy(DEFAULT_OPTIONS) - - module_function - def restore_defaults! - OPTIONS.clear.merge!(Deep.copy(DEFAULT_OPTIONS)) - end - - def tag_safety_check!(tag, options) - return if tag.nil? || tag == "!" - if options[:raise_on_unknown_tag] && !options[:whitelisted_tags].include?(tag) && !tag_is_explicitly_trusted?(tag) - raise "Unknown YAML tag '#{tag}'" - end - end - - def whitelist!(*classes) - classes.each do |klass| - whitelist_class!(klass) - end - end - - def whitelist_class!(klass) - raise "#{klass} not a Class" unless klass.is_a?(::Class) - - klass_name = klass.name - raise "#{klass} cannot be anonymous" if klass_name.nil? || klass_name.empty? - - # Whitelist any built-in YAML tags supplied by Syck or Psych. - predefined_tag = predefined_tags[klass] - if predefined_tag - OPTIONS[:whitelisted_tags] << predefined_tag - return - end - - # Exception is exceptional (har har). - tag_class = klass < Exception ? "exception" : "object" - - tag_prefix = case YAML_ENGINE - when "psych" then "!ruby/#{tag_class}" - when "syck" then "tag:ruby.yaml.org,2002:#{tag_class}" - else raise "unknown YAML_ENGINE #{YAML_ENGINE}" - end - OPTIONS[:whitelisted_tags] << "#{tag_prefix}:#{klass_name}" - end - - def predefined_tags - if @predefined_tags.nil? - @predefined_tags = {} - - if YAML_ENGINE == "syck" - YAML.tagged_classes.each do |tag, klass| - @predefined_tags[klass] = tag - end - - else - # Special tags appear to be hard-coded in Psych: - # https://github.com/tenderlove/psych/blob/v1.3.4/lib/psych/visitors/to_ruby.rb - # Fortunately, there aren't many that SafeYAML doesn't already support. - @predefined_tags.merge!({ - Exception => "!ruby/exception", - Range => "!ruby/range", - Regexp => "!ruby/regexp", - }) - end - end - - @predefined_tags - end - - if YAML_ENGINE == "psych" - def tag_is_explicitly_trusted?(tag) - false - end - - else - TRUSTED_TAGS = Set.new([ - "tag:yaml.org,2002:binary", - "tag:yaml.org,2002:bool#no", - "tag:yaml.org,2002:bool#yes", - "tag:yaml.org,2002:float", - "tag:yaml.org,2002:float#fix", - "tag:yaml.org,2002:int", - "tag:yaml.org,2002:map", - "tag:yaml.org,2002:null", - "tag:yaml.org,2002:seq", - "tag:yaml.org,2002:str", - "tag:yaml.org,2002:timestamp", - "tag:yaml.org,2002:timestamp#ymd" - ]).freeze - - def tag_is_explicitly_trusted?(tag) - TRUSTED_TAGS.include?(tag) - end - end -end - -module YAML - def self.load_with_options(yaml, *original_arguments) - filename, options = filename_and_options_from_arguments(original_arguments) - safe_mode = safe_mode_from_options("load", options) - arguments = [yaml] - - if safe_mode == :safe - arguments << filename if SafeYAML::YAML_ENGINE == "psych" - arguments << options_for_safe_load(options) - safe_load(*arguments) - else - arguments << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD - unsafe_load(*arguments) - end - end - - def self.load_file_with_options(file, options={}) - safe_mode = safe_mode_from_options("load_file", options) - if safe_mode == :safe - safe_load_file(file, options_for_safe_load(options)) - else - unsafe_load_file(file) - end - end - - if SafeYAML::YAML_ENGINE == "psych" - require "safe_yaml/psych_handler" - require "safe_yaml/psych_resolver" - require "safe_yaml/safe_to_ruby_visitor" - - def self.safe_load(yaml, filename=nil, options={}) - # If the user hasn't whitelisted any tags, we can go with this implementation which is - # significantly faster. - if (options && options[:whitelisted_tags] || SafeYAML::OPTIONS[:whitelisted_tags]).empty? - safe_handler = SafeYAML::PsychHandler.new(options) - arguments_for_parse = [yaml] - arguments_for_parse << filename if SafeYAML::MULTI_ARGUMENT_YAML_LOAD - Psych::Parser.new(safe_handler).parse(*arguments_for_parse) - return safe_handler.result || false - - else - safe_resolver = SafeYAML::PsychResolver.new(options) - tree = SafeYAML::MULTI_ARGUMENT_YAML_LOAD ? - Psych.parse(yaml, filename) : - Psych.parse(yaml) - return safe_resolver.resolve_node(tree) - end - end - - def self.safe_load_file(filename, options={}) - File.open(filename, 'r:bom|utf-8') { |f| self.safe_load(f, filename, options) } - end - - def self.unsafe_load_file(filename) - if SafeYAML::MULTI_ARGUMENT_YAML_LOAD - # https://github.com/tenderlove/psych/blob/v1.3.2/lib/psych.rb#L296-298 - File.open(filename, 'r:bom|utf-8') { |f| self.unsafe_load(f, filename) } - else - # https://github.com/tenderlove/psych/blob/v1.2.2/lib/psych.rb#L231-233 - self.unsafe_load File.open(filename) - end - end - - else - require "safe_yaml/syck_resolver" - require "safe_yaml/syck_node_monkeypatch" - - def self.safe_load(yaml, options={}) - resolver = SafeYAML::SyckResolver.new(SafeYAML::OPTIONS.merge(options || {})) - tree = YAML.parse(yaml) - return resolver.resolve_node(tree) - end - - def self.safe_load_file(filename, options={}) - File.open(filename) { |f| self.safe_load(f, options) } - end - - def self.unsafe_load_file(filename) - # https://github.com/indeyets/syck/blob/master/ext/ruby/lib/yaml.rb#L133-135 - File.open(filename) { |f| self.unsafe_load(f) } - end - end - - class << self - alias_method :unsafe_load, :load - alias_method :load, :load_with_options - alias_method :load_file, :load_file_with_options - - private - def filename_and_options_from_arguments(arguments) - if arguments.count == 1 - if arguments.first.is_a?(String) - return arguments.first, {} - else - return nil, arguments.first || {} - end - - else - return arguments.first, arguments.last || {} - end - end - - def safe_mode_from_options(method, options={}) - if options[:safe].nil? - safe_mode = SafeYAML::OPTIONS[:default_mode] || :safe - if SafeYAML::OPTIONS[:default_mode].nil? && !SafeYAML::OPTIONS[:suppress_warnings] - Kernel.warn "Called '#{method}' without the :safe option -- defaulting to #{safe_mode} mode." - SafeYAML::OPTIONS[:suppress_warnings] = true - end - return safe_mode - end - - options[:safe] ? :safe : :unsafe - end - - def options_for_safe_load(base_options) - options = base_options.dup - options.delete(:safe) - options - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/deep.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/deep.rb deleted file mode 100644 index 6a5e037fb..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/deep.rb +++ /dev/null @@ -1,34 +0,0 @@ -module SafeYAML - class Deep - def self.freeze(object) - object.each do |*entry| - value = entry.last - case value - when String, Regexp - value.freeze - when Enumerable - Deep.freeze(value) - end - end - - return object.freeze - end - - def self.copy(object) - duplicate = object.dup rescue object - - case object - when Array - (0...duplicate.count).each do |i| - duplicate[i] = Deep.copy(duplicate[i]) - end - when Hash - duplicate.keys.each do |key| - duplicate[key] = Deep.copy(duplicate[key]) - end - end - - duplicate - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/date.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/date.rb deleted file mode 100644 index 077294145..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/date.rb +++ /dev/null @@ -1,27 +0,0 @@ -module SafeYAML - class Parse - class Date - # This one's easy enough :) - DATE_MATCHER = /\A(\d{4})-(\d{2})-(\d{2})\Z/.freeze - - # This unbelievable little gem is taken basically straight from the YAML spec, but made - # slightly more readable (to my poor eyes at least) to me: - # http://yaml.org/type/timestamp.html - TIME_MATCHER = /\A\d{4}-\d{1,2}-\d{1,2}(?:[Tt]|\s+)\d{1,2}:\d{2}:\d{2}(?:\.\d*)?\s*(?:Z|[-+]\d{1,2}(?::?\d{2})?)?\Z/.freeze - - SECONDS_PER_DAY = 60 * 60 * 24 - MICROSECONDS_PER_SECOND = 1000000 - - # So this is weird. In Ruby 1.8.7, the DateTime#sec_fraction method returned fractional - # seconds in units of DAYS for some reason. In 1.9.2, they changed the units -- much more - # reasonably -- to seconds. - SEC_FRACTION_MULTIPLIER = RUBY_VERSION == "1.8.7" ? (SECONDS_PER_DAY * MICROSECONDS_PER_SECOND) : MICROSECONDS_PER_SECOND - - def self.value(value) - d = DateTime.parse(value) - usec = d.sec_fraction * SEC_FRACTION_MULTIPLIER - Time.utc(d.year, d.month, d.day, d.hour, d.min, d.sec, usec) - (d.offset * SECONDS_PER_DAY) - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/hexadecimal.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/hexadecimal.rb deleted file mode 100644 index 8da362495..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/hexadecimal.rb +++ /dev/null @@ -1,12 +0,0 @@ -module SafeYAML - class Parse - class Hexadecimal - MATCHER = /\A[-+]?0x[0-9a-fA-F_]+\Z/.freeze - - def self.value(value) - # This is safe to do since we already validated the value. - return Integer(value.gsub(/_/, "")) - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/sexagesimal.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/sexagesimal.rb deleted file mode 100644 index 3fff5bb16..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/parse/sexagesimal.rb +++ /dev/null @@ -1,26 +0,0 @@ -module SafeYAML - class Parse - class Sexagesimal - INTEGER_MATCHER = /\A[-+]?[0-9][0-9_]*(:[0-5]?[0-9])+\Z/.freeze - FLOAT_MATCHER = /\A[-+]?[0-9][0-9_]*(:[0-5]?[0-9])+\.[0-9_]*\Z/.freeze - - def self.value(value) - before_decimal, after_decimal = value.split(".") - - whole_part = 0 - multiplier = 1 - - before_decimal = before_decimal.split(":") - until before_decimal.empty? - whole_part += (Float(before_decimal.pop) * multiplier) - multiplier *= 60 - end - - result = whole_part - result += Float("." + after_decimal) unless after_decimal.nil? - result *= -1 if value[0] == "-" - result - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/psych_handler.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/psych_handler.rb deleted file mode 100644 index 327fbc193..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/psych_handler.rb +++ /dev/null @@ -1,92 +0,0 @@ -require "psych" -require "base64" - -module SafeYAML - class PsychHandler < Psych::Handler - def initialize(options) - @options = SafeYAML::OPTIONS.merge(options || {}) - @initializers = @options[:custom_initializers] || {} - @anchors = {} - @stack = [] - @current_key = nil - @result = nil - end - - def result - @result - end - - def add_to_current_structure(value, anchor=nil, quoted=nil, tag=nil) - value = Transform.to_proper_type(value, quoted, tag, @options) - - @anchors[anchor] = value if anchor - - if @result.nil? - @result = value - @current_structure = @result - return - end - - if @current_structure.respond_to?(:<<) - @current_structure << value - - elsif @current_structure.respond_to?(:[]=) - if @current_key.nil? - @current_key = value - - else - if @current_key == "<<" - @current_structure.merge!(value) - else - @current_structure[@current_key] = value - end - - @current_key = nil - end - - else - raise "Don't know how to add to a #{@current_structure.class}!" - end - end - - def end_current_structure - @stack.pop - @current_structure = @stack.last - end - - def streaming? - false - end - - # event handlers - def alias(anchor) - add_to_current_structure(@anchors[anchor]) - end - - def scalar(value, anchor, tag, plain, quoted, style) - add_to_current_structure(value, anchor, quoted, tag) - end - - def start_mapping(anchor, tag, implicit, style) - map = @initializers.include?(tag) ? @initializers[tag].call : {} - self.add_to_current_structure(map, anchor) - @current_structure = map - @stack.push(map) - end - - def end_mapping - self.end_current_structure() - end - - def start_sequence(anchor, tag, implicit, style) - seq = @initializers.include?(tag) ? @initializers[tag].call : [] - self.add_to_current_structure(seq, anchor) - @current_structure = seq - @stack.push(seq) - end - - def end_sequence - self.end_current_structure() - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/psych_resolver.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/psych_resolver.rb deleted file mode 100644 index 851989bef..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/psych_resolver.rb +++ /dev/null @@ -1,52 +0,0 @@ -module SafeYAML - class PsychResolver < Resolver - NODE_TYPES = { - Psych::Nodes::Document => :root, - Psych::Nodes::Mapping => :map, - Psych::Nodes::Sequence => :seq, - Psych::Nodes::Scalar => :scalar, - Psych::Nodes::Alias => :alias - }.freeze - - def initialize(options={}) - super - @aliased_nodes = {} - end - - def resolve_root(root) - resolve_seq(root).first - end - - def resolve_alias(node) - resolve_node(@aliased_nodes[node.anchor]) - end - - def native_resolve(node) - @visitor ||= SafeYAML::SafeToRubyVisitor.new(self) - @visitor.accept(node) - end - - def get_node_type(node) - NODE_TYPES[node.class] - end - - def get_node_tag(node) - node.tag - end - - def get_node_value(node) - @aliased_nodes[node.anchor] = node if node.respond_to?(:anchor) && node.anchor - - case get_node_type(node) - when :root, :map, :seq - node.children - when :scalar - node.value - end - end - - def value_is_quoted?(node) - node.quoted - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/resolver.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/resolver.rb deleted file mode 100644 index d15343f6f..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/resolver.rb +++ /dev/null @@ -1,94 +0,0 @@ -module SafeYAML - class Resolver - def initialize(options) - @options = SafeYAML::OPTIONS.merge(options || {}) - @whitelist = @options[:whitelisted_tags] || [] - @initializers = @options[:custom_initializers] || {} - @raise_on_unknown_tag = @options[:raise_on_unknown_tag] - end - - def resolve_node(node) - return node if !node - return self.native_resolve(node) if tag_is_whitelisted?(self.get_node_tag(node)) - - case self.get_node_type(node) - when :root - resolve_root(node) - when :map - resolve_map(node) - when :seq - resolve_seq(node) - when :scalar - resolve_scalar(node) - when :alias - resolve_alias(node) - else - raise "Don't know how to resolve this node: #{node.inspect}" - end - end - - def resolve_map(node) - tag = get_and_check_node_tag(node) - hash = @initializers.include?(tag) ? @initializers[tag].call : {} - map = normalize_map(self.get_node_value(node)) - - # Take the "<<" key nodes first, as these are meant to approximate a form of inheritance. - inheritors = map.select { |key_node, value_node| resolve_node(key_node) == "<<" } - inheritors.each do |key_node, value_node| - merge_into_hash(hash, resolve_node(value_node)) - end - - # All that's left should be normal (non-"<<") nodes. - (map - inheritors).each do |key_node, value_node| - hash[resolve_node(key_node)] = resolve_node(value_node) - end - - return hash - end - - def resolve_seq(node) - seq = self.get_node_value(node) - - tag = get_and_check_node_tag(node) - arr = @initializers.include?(tag) ? @initializers[tag].call : [] - - seq.inject(arr) { |array, node| array << resolve_node(node) } - end - - def resolve_scalar(node) - Transform.to_proper_type(self.get_node_value(node), self.value_is_quoted?(node), get_and_check_node_tag(node), @options) - end - - def get_and_check_node_tag(node) - tag = self.get_node_tag(node) - SafeYAML.tag_safety_check!(tag, @options) - tag - end - - def tag_is_whitelisted?(tag) - @whitelist.include?(tag) - end - - def options - @options - end - - private - def normalize_map(map) - # Syck creates Hashes from maps. - if map.is_a?(Hash) - map.inject([]) { |arr, key_and_value| arr << key_and_value } - - # Psych is really weird; it flattens out a Hash completely into: [key, value, key, value, ...] - else - map.each_slice(2).to_a - end - end - - def merge_into_hash(hash, array) - array.each do |key, value| - hash[key] = value - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/safe_to_ruby_visitor.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/safe_to_ruby_visitor.rb deleted file mode 100644 index 0a8c4228d..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/safe_to_ruby_visitor.rb +++ /dev/null @@ -1,17 +0,0 @@ -module SafeYAML - class SafeToRubyVisitor < Psych::Visitors::ToRuby - def initialize(resolver) - super() - @resolver = resolver - end - - def accept(node) - if node.tag - SafeYAML.tag_safety_check!(node.tag, @resolver.options) - return super - end - - @resolver.resolve_node(node) - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_hack.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_hack.rb deleted file mode 100644 index 08a5e478e..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_hack.rb +++ /dev/null @@ -1,36 +0,0 @@ -# Hack to JRuby 1.8's YAML Parser Yecht -# -# This file is always loaded AFTER either syck or psych are already -# loaded. It then looks at what constants are available and creates -# a consistent view on all rubys. -# -# Taken from rubygems and modified. -# See https://github.com/rubygems/rubygems/blob/master/lib/rubygems/syck_hack.rb - -module YAML - # In newer 1.9.2, there is a Syck toplevel constant instead of it - # being underneith YAML. If so, reference it back under YAML as - # well. - if defined? ::Syck - # for tests that change YAML::ENGINE - # 1.8 does not support the second argument to const_defined? - remove_const :Syck rescue nil - - Syck = ::Syck - - # JRuby's "Syck" is called "Yecht" - elsif defined? YAML::Yecht - Syck = YAML::Yecht - end -end - -# Sometime in the 1.9 dev cycle, the Syck constant was moved from under YAML -# to be a toplevel constant. So gemspecs created under these versions of Syck -# will have references to Syck::DefaultKey. -# -# So we need to be sure that we reference Syck at the toplevel too so that -# we can always load these kind of gemspecs. -# -if !defined?(Syck) - Syck = YAML::Syck -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_node_monkeypatch.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_node_monkeypatch.rb deleted file mode 100644 index c026376cd..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_node_monkeypatch.rb +++ /dev/null @@ -1,43 +0,0 @@ -# This is, admittedly, pretty insane. Fundamentally the challenge here is this: if we want to allow -# whitelisting of tags (while still leveraging Syck's internal functionality), then we have to -# change how Syck::Node#transform works. But since we (SafeYAML) do not control instantiation of -# Syck::Node objects, we cannot, for example, subclass Syck::Node and override #tranform the "easy" -# way. So the only choice is to monkeypatch, like this. And the only way to make this work -# recursively with potentially call-specific options (that my feeble brain can think of) is to set -# pseudo-global options on the first call and unset them once the recursive stack has fully unwound. - -monkeypatch = <<-EORUBY - class Node - @@safe_transform_depth = 0 - @@safe_transform_whitelist = nil - - def safe_transform(options={}) - begin - @@safe_transform_depth += 1 - @@safe_transform_whitelist ||= options[:whitelisted_tags] - - if self.type_id - SafeYAML.tag_safety_check!(self.type_id, options) - return unsafe_transform if @@safe_transform_whitelist.include?(self.type_id) - end - - SafeYAML::SyckResolver.new.resolve_node(self) - - ensure - @@safe_transform_depth -= 1 - if @@safe_transform_depth == 0 - @@safe_transform_whitelist = nil - end - end - end - - alias_method :unsafe_transform, :transform - alias_method :transform, :safe_transform - end -EORUBY - -if defined?(YAML::Syck::Node) - YAML::Syck.module_eval monkeypatch -else - Syck.module_eval monkeypatch -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_resolver.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_resolver.rb deleted file mode 100644 index 10d55ab37..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/syck_resolver.rb +++ /dev/null @@ -1,38 +0,0 @@ -module SafeYAML - class SyckResolver < Resolver - QUOTE_STYLES = [ - :quote1, - :quote2 - ].freeze - - NODE_TYPES = { - Hash => :map, - Array => :seq, - String => :scalar - }.freeze - - def initialize(options={}) - super - end - - def native_resolve(node) - node.transform(self.options) - end - - def get_node_type(node) - NODE_TYPES[node.value.class] - end - - def get_node_tag(node) - node.type_id - end - - def get_node_value(node) - node.value - end - - def value_is_quoted?(node) - QUOTE_STYLES.include?(node.instance_variable_get(:@style)) - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform.rb deleted file mode 100644 index d61d1a995..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform.rb +++ /dev/null @@ -1,41 +0,0 @@ -require 'base64' - -module SafeYAML - class Transform - TRANSFORMERS = [ - Transform::ToSymbol.new, - Transform::ToInteger.new, - Transform::ToFloat.new, - Transform::ToNil.new, - Transform::ToBoolean.new, - Transform::ToDate.new - ] - - def self.to_guessed_type(value, quoted=false, options=nil) - return value if quoted - - if value.is_a?(String) - TRANSFORMERS.each do |transformer| - success, transformed_value = transformer.method(:transform?).arity == 1 ? - transformer.transform?(value) : - transformer.transform?(value, options) - - return transformed_value if success - end - end - - value - end - - def self.to_proper_type(value, quoted=false, tag=nil, options=nil) - case tag - when "tag:yaml.org,2002:binary", "x-private:binary", "!binary" - decoded = Base64.decode64(value) - decoded = decoded.force_encoding(value.encoding) if decoded.respond_to?(:force_encoding) - decoded - else - self.to_guessed_type(value, quoted, options) - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_boolean.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_boolean.rb deleted file mode 100644 index 99dc85efe..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_boolean.rb +++ /dev/null @@ -1,21 +0,0 @@ -module SafeYAML - class Transform - class ToBoolean - include TransformationMap - - set_predefined_values({ - "yes" => true, - "on" => true, - "true" => true, - "no" => false, - "off" => false, - "false" => false - }) - - def transform?(value) - return false if value.length > 5 - return PREDEFINED_VALUES.include?(value), PREDEFINED_VALUES[value] - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_date.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_date.rb deleted file mode 100644 index f8f12654b..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_date.rb +++ /dev/null @@ -1,11 +0,0 @@ -module SafeYAML - class Transform - class ToDate - def transform?(value) - return true, Date.parse(value) if Parse::Date::DATE_MATCHER.match(value) - return true, Parse::Date.value(value) if Parse::Date::TIME_MATCHER.match(value) - false - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_float.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_float.rb deleted file mode 100644 index 4ee3f5fbf..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_float.rb +++ /dev/null @@ -1,33 +0,0 @@ -module SafeYAML - class Transform - class ToFloat - Infinity = 1.0 / 0.0 - NaN = 0.0 / 0.0 - - PREDEFINED_VALUES = { - ".inf" => Infinity, - ".Inf" => Infinity, - ".INF" => Infinity, - "-.inf" => -Infinity, - "-.Inf" => -Infinity, - "-.INF" => -Infinity, - ".nan" => NaN, - ".NaN" => NaN, - ".NAN" => NaN, - }.freeze - - MATCHER = /\A[-+]?(?:\d[\d_]*)?\.[\d_]+(?:[eE][-+][\d]+)?\Z/.freeze - - def transform?(value) - return true, Float(value) if MATCHER.match(value) - try_edge_cases?(value) - end - - def try_edge_cases?(value) - return true, PREDEFINED_VALUES[value] if PREDEFINED_VALUES.include?(value) - return true, Parse::Sexagesimal.value(value) if Parse::Sexagesimal::FLOAT_MATCHER.match(value) - return false - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_integer.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_integer.rb deleted file mode 100644 index 25222d2a8..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_integer.rb +++ /dev/null @@ -1,25 +0,0 @@ -module SafeYAML - class Transform - class ToInteger - MATCHERS = Deep.freeze([ - /\A[-+]?(0|([1-9][0-9_,]*))\Z/, # decimal - /\A0[0-7]+\Z/, # octal - /\A0x[0-9a-f]+\Z/i, # hexadecimal - /\A0b[01_]+\Z/ # binary - ]) - - def transform?(value) - MATCHERS.each do |matcher| - return true, Integer(value.gsub(",", "")) if matcher.match(value) - end - try_edge_cases?(value) - end - - def try_edge_cases?(value) - return true, Parse::Hexadecimal.value(value) if Parse::Hexadecimal::MATCHER.match(value) - return true, Parse::Sexagesimal.value(value) if Parse::Sexagesimal::INTEGER_MATCHER.match(value) - return false - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_nil.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_nil.rb deleted file mode 100644 index 258ad462f..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_nil.rb +++ /dev/null @@ -1,18 +0,0 @@ -module SafeYAML - class Transform - class ToNil - include TransformationMap - - set_predefined_values({ - "" => nil, - "~" => nil, - "null" => nil, - }) - - def transform?(value) - return false if value.length > 4 - return PREDEFINED_VALUES.include?(value), PREDEFINED_VALUES[value] - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_symbol.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_symbol.rb deleted file mode 100644 index d7eb49422..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/to_symbol.rb +++ /dev/null @@ -1,13 +0,0 @@ -module SafeYAML - class Transform - class ToSymbol - MATCHER = /\A:"?(\w+)"?\Z/.freeze - - def transform?(value, options=nil) - options ||= SafeYAML::OPTIONS - return false unless options[:deserialize_symbols] && MATCHER.match(value) - return true, $1.to_sym - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/transformation_map.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/transformation_map.rb deleted file mode 100644 index d4e45ec52..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/transform/transformation_map.rb +++ /dev/null @@ -1,47 +0,0 @@ -module SafeYAML - class Transform - module TransformationMap - def self.included(base) - base.extend(ClassMethods) - end - - class CaseAgnosticMap < Hash - def initialize(*args) - super - end - - def include?(key) - super(key.downcase) - end - - def [](key) - super(key.downcase) - end - - # OK, I actually don't think it's all that important that this map be - # frozen. - def freeze - self - end - end - - module ClassMethods - def set_predefined_values(predefined_values) - if SafeYAML::YAML_ENGINE == "syck" - expanded_map = predefined_values.inject({}) do |hash, (key, value)| - hash[key] = value - hash[key.capitalize] = value - hash[key.upcase] = value - hash - end - else - expanded_map = CaseAgnosticMap.new - expanded_map.merge!(predefined_values) - end - - self.const_set(:PREDEFINED_VALUES, expanded_map.freeze) - end - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/version.rb b/lib/puppet/vendor/safe_yaml/lib/safe_yaml/version.rb deleted file mode 100644 index 056d2b0ba..000000000 --- a/lib/puppet/vendor/safe_yaml/lib/safe_yaml/version.rb +++ /dev/null @@ -1,3 +0,0 @@ -module SafeYAML - VERSION = "0.9.2" -end diff --git a/lib/puppet/vendor/safe_yaml/run_specs_all_ruby_versions.sh b/lib/puppet/vendor/safe_yaml/run_specs_all_ruby_versions.sh deleted file mode 100755 index 4c1778719..000000000 --- a/lib/puppet/vendor/safe_yaml/run_specs_all_ruby_versions.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm" - -rvm use 1.8.7@safe_yaml -rake spec - -rvm use 1.9.2@safe_yaml -YAMLER=syck rake spec - -rvm use 1.9.3@safe_yaml -YAMLER=syck rake spec - -rvm use 1.9.2@safe_yaml -YAMLER=psych rake spec - -rvm use 1.9.3@safe_yaml -YAMLER=psych rake spec - -rvm use 2.0.0@safe_yaml -YAMLER=psych rake spec diff --git a/lib/puppet/vendor/safe_yaml/safe_yaml.gemspec b/lib/puppet/vendor/safe_yaml/safe_yaml.gemspec deleted file mode 100644 index dbcd92691..000000000 --- a/lib/puppet/vendor/safe_yaml/safe_yaml.gemspec +++ /dev/null @@ -1,18 +0,0 @@ -# -*- encoding: utf-8 -*- -require File.join(File.dirname(__FILE__), "lib", "safe_yaml", "version") - -Gem::Specification.new do |gem| - gem.name = "safe_yaml" - gem.version = SafeYAML::VERSION - gem.authors = "Dan Tao" - gem.email = "daniel.tao@gmail.com" - gem.description = %q{Parse YAML safely, without that pesky arbitrary object deserialization vulnerability} - gem.summary = %q{SameYAML provides an alternative implementation of YAML.load suitable for accepting user input in Ruby applications.} - gem.homepage = "http://dtao.github.com/safe_yaml/" - gem.license = "MIT" - gem.files = `git ls-files`.split($\) - gem.test_files = gem.files.grep(%r{^spec/}) - gem.require_paths = ["lib"] - - gem.required_ruby_version = ">= 1.8.7" -end diff --git a/lib/puppet/vendor/safe_yaml/spec/exploit.1.9.2.yaml b/lib/puppet/vendor/safe_yaml/spec/exploit.1.9.2.yaml deleted file mode 100644 index bdd70cc67..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/exploit.1.9.2.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- !ruby/object:ExploitableBackDoor -foo: bar diff --git a/lib/puppet/vendor/safe_yaml/spec/exploit.1.9.3.yaml b/lib/puppet/vendor/safe_yaml/spec/exploit.1.9.3.yaml deleted file mode 100644 index c24e04b8d..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/exploit.1.9.3.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- !ruby/hash:ExploitableBackDoor -foo: bar diff --git a/lib/puppet/vendor/safe_yaml/spec/psych_resolver_spec.rb b/lib/puppet/vendor/safe_yaml/spec/psych_resolver_spec.rb deleted file mode 100644 index 269be5d28..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/psych_resolver_spec.rb +++ /dev/null @@ -1,10 +0,0 @@ -require File.join(File.dirname(__FILE__), "spec_helper") - -if SafeYAML::YAML_ENGINE == "psych" - require "safe_yaml/psych_resolver" - - describe SafeYAML::PsychResolver do - include ResolverSpecs - let(:resolver) { SafeYAML::PsychResolver.new } - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/resolver_specs.rb b/lib/puppet/vendor/safe_yaml/spec/resolver_specs.rb deleted file mode 100644 index 5e070b07f..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/resolver_specs.rb +++ /dev/null @@ -1,250 +0,0 @@ -module ResolverSpecs - def self.included(base) - base.module_eval do - let(:resolver) { nil } - let(:result) { @result } - - def parse(yaml) - tree = YAML.parse(yaml.unindent) - @result = resolver.resolve_node(tree) - end - - # Isn't this how I should've been doing it all along? - def parse_and_test(yaml) - parse(yaml) - @result.should == YAML.unsafe_load(yaml) - end - - context "by default" do - it "translates maps to hashes" do - parse <<-YAML - potayto: potahto - tomayto: tomahto - YAML - - result.should == { - "potayto" => "potahto", - "tomayto" => "tomahto" - } - end - - it "translates sequences to arrays" do - parse <<-YAML - - foo - - bar - - baz - YAML - - result.should == ["foo", "bar", "baz"] - end - - it "translates most values to strings" do - parse "string: value" - result.should == { "string" => "value" } - end - - it "does not deserialize symbols" do - parse ":symbol: value" - result.should == { ":symbol" => "value" } - end - - it "translates valid integral numbers to integers" do - parse "integer: 1" - result.should == { "integer" => 1 } - end - - it "translates valid decimal numbers to floats" do - parse "float: 3.14" - result.should == { "float" => 3.14 } - end - - it "translates valid dates" do - parse "date: 2013-01-24" - result.should == { "date" => Date.parse("2013-01-24") } - end - - it "translates valid true/false values to booleans" do - parse <<-YAML - - yes - - true - - no - - false - YAML - - result.should == [true, true, false, false] - end - - it "translates valid nulls to nil" do - parse <<-YAML - - - - ~ - - null - YAML - - result.should == [nil] * 3 - end - - it "matches the behavior of the underlying YAML engine w/ respect to capitalization of boolean values" do - parse_and_test <<-YAML - - true - - True - - TRUE - - tRue - - TRue - - False - - FALSE - - fAlse - - FALse - YAML - - # using Syck: [true, true, true, "tRue", "TRue", false, false, "fAlse", "FALse"] - # using Psych: all booleans - end - - it "matches the behavior of the underlying YAML engine w/ respect to capitalization of nil values" do - parse_and_test <<-YAML - - Null - - NULL - - nUll - - NUll - YAML - - # using Syck: [nil, nil, "nUll", "NUll"] - # using Psych: all nils - end - - it "translates quoted empty strings to strings (not nil)" do - parse "foo: ''" - result.should == { "foo" => "" } - end - - it "correctly reverse-translates strings encoded via #to_yaml" do - parse "5.10".to_yaml - result.should == "5.10" - end - - it "does not specially parse any double-quoted strings" do - parse <<-YAML - - "1" - - "3.14" - - "true" - - "false" - - "2013-02-03" - - "2013-02-03 16:27:00 -0600" - YAML - - result.should == ["1", "3.14", "true", "false", "2013-02-03", "2013-02-03 16:27:00 -0600"] - end - - it "does not specially parse any single-quoted strings" do - parse <<-YAML - - '1' - - '3.14' - - 'true' - - 'false' - - '2013-02-03' - - '2013-02-03 16:27:00 -0600' - YAML - - result.should == ["1", "3.14", "true", "false", "2013-02-03", "2013-02-03 16:27:00 -0600"] - end - - it "deals just fine with nested maps" do - parse <<-YAML - foo: - bar: - marco: polo - YAML - - result.should == { "foo" => { "bar" => { "marco" => "polo" } } } - end - - it "deals just fine with nested sequences" do - parse <<-YAML - - foo - - - - bar1 - - bar2 - - - - baz1 - - baz2 - YAML - - result.should == ["foo", ["bar1", "bar2", ["baz1", "baz2"]]] - end - - it "applies the same transformations to keys as to values" do - parse <<-YAML - foo: string - :bar: symbol - 1: integer - 3.14: float - 2013-01-24: date - YAML - - result.should == { - "foo" => "string", - ":bar" => "symbol", - 1 => "integer", - 3.14 => "float", - Date.parse("2013-01-24") => "date", - } - end - - it "applies the same transformations to elements in sequences as to all values" do - parse <<-YAML - - foo - - :bar - - 1 - - 3.14 - - 2013-01-24 - YAML - - result.should == ["foo", ":bar", 1, 3.14, Date.parse("2013-01-24")] - end - end - - context "for Ruby version #{RUBY_VERSION}" do - it "translates valid time values" do - parse "time: 2013-01-29 05:58:00 -0800" - result.should == { "time" => Time.utc(2013, 1, 29, 13, 58, 0) } - end - - it "applies the same transformation to elements in sequences" do - parse "- 2013-01-29 05:58:00 -0800" - result.should == [Time.utc(2013, 1, 29, 13, 58, 0)] - end - - it "applies the same transformation to keys" do - parse "2013-01-29 05:58:00 -0800: time" - result.should == { Time.utc(2013, 1, 29, 13, 58, 0) => "time" } - end - end - - context "with symbol deserialization enabled" do - before :each do - SafeYAML::OPTIONS[:deserialize_symbols] = true - end - - after :each do - SafeYAML.restore_defaults! - end - - it "translates values starting with ':' to symbols" do - parse "symbol: :value" - result.should == { "symbol" => :value } - end - - it "applies the same transformation to keys" do - parse ":bar: symbol" - result.should == { :bar => "symbol" } - end - - it "applies the same transformation to elements in sequences" do - parse "- :bar" - result.should == [:bar] - end - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/safe_yaml_spec.rb b/lib/puppet/vendor/safe_yaml/spec/safe_yaml_spec.rb deleted file mode 100644 index d454b162e..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/safe_yaml_spec.rb +++ /dev/null @@ -1,702 +0,0 @@ -require File.join(File.dirname(__FILE__), "spec_helper") - -require "exploitable_back_door" - -describe YAML do - # Essentially stolen from: - # https://github.com/rails/rails/blob/3-2-stable/activesupport/lib/active_support/core_ext/kernel/reporting.rb#L10-25 - def silence_warnings - $VERBOSE = nil; yield - ensure - $VERBOSE = true - end - - def safe_load_round_trip(object, options={}) - yaml = object.to_yaml - if SafeYAML::YAML_ENGINE == "psych" - YAML.safe_load(yaml, nil, options) - else - YAML.safe_load(yaml, options) - end - end - - before :each do - SafeYAML.restore_defaults! - end - - after :each do - SafeYAML.restore_defaults! - end - - describe "unsafe_load" do - if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3" - it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do - backdoor = YAML.unsafe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n") - backdoor.should be_exploited_through_setter - end - - it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do - backdoor = YAML.unsafe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n") - backdoor.should be_exploited_through_init_with - end - end - - it "allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object" do - backdoor = YAML.unsafe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n") - backdoor.should be_exploited_through_ivars - end - - context "with special whitelisted tags defined" do - before :each do - SafeYAML::whitelist!(OpenStruct) - end - - it "effectively ignores the whitelist (since everything is whitelisted)" do - result = YAML.unsafe_load <<-YAML.unindent - --- !ruby/object:OpenStruct - table: - :backdoor: !ruby/object:ExploitableBackDoor - foo: bar - YAML - - result.should be_a(OpenStruct) - result.backdoor.should be_exploited_through_ivars - end - end - end - - describe "safe_load" do - it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do - object = YAML.safe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n") - object.should_not be_a(ExploitableBackDoor) - end - - it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do - object = YAML.safe_load("--- !ruby/object:ExploitableBackDoor\nfoo: bar\n") - object.should_not be_a(ExploitableBackDoor) - end - - context "for YAML engine #{SafeYAML::YAML_ENGINE}" do - if SafeYAML::YAML_ENGINE == "psych" - let(:options) { nil } - let(:arguments) { ["foo: bar", nil, options] } - - context "when no tags are whitelisted" do - it "constructs a SafeYAML::PsychHandler to resolve nodes as they're parsed, for optimal performance" do - Psych::Parser.should_receive(:new).with an_instance_of(SafeYAML::PsychHandler) - # This won't work now; we just want to ensure Psych::Parser#parse was in fact called. - YAML.safe_load(*arguments) rescue nil - end - end - - context "when whitelisted tags are specified" do - let(:options) { - { :whitelisted_tags => ["foo"] } - } - - it "instead uses Psych to construct a full tree before examining the nodes" do - Psych.should_receive(:parse) - # This won't work now; we just want to ensure Psych::Parser#parse was in fact called. - YAML.safe_load(*arguments) rescue nil - end - end - end - - if SafeYAML::YAML_ENGINE == "syck" - it "uses Syck internally to parse YAML" do - YAML.should_receive(:parse).with("foo: bar") - # This won't work now; we just want to ensure YAML::parse was in fact called. - YAML.safe_load("foo: bar") rescue nil - end - end - end - - it "loads a plain ol' YAML document just fine" do - result = YAML.safe_load <<-YAML.unindent - foo: - number: 1 - string: Hello, there! - symbol: :blah - sequence: - - hi - - bye - YAML - - result.should == { - "foo" => { - "number" => 1, - "string" => "Hello, there!", - "symbol" => ":blah", - "sequence" => ["hi", "bye"] - } - } - end - - it "works for YAML documents with anchors and aliases" do - result = YAML.safe_load <<-YAML - - &id001 {} - - *id001 - - *id001 - YAML - - result.should == [{}, {}, {}] - end - - it "works for YAML documents with binary tagged keys" do - result = YAML.safe_load <<-YAML - ? !!binary > - Zm9v - : "bar" - ? !!binary > - YmFy - : "baz" - YAML - - result.should == {"foo" => "bar", "bar" => "baz"} - end - - it "works for YAML documents with binary tagged values" do - result = YAML.safe_load <<-YAML - "foo": !!binary > - YmFy - "bar": !!binary > - YmF6 - YAML - - result.should == {"foo" => "bar", "bar" => "baz"} - end - - it "works for YAML documents with binary tagged array values" do - result = YAML.safe_load <<-YAML - - !binary |- - Zm9v - - !binary |- - YmFy - YAML - - result.should == ["foo", "bar"] - end - - it "works for YAML documents with sections" do - result = YAML.safe_load <<-YAML - mysql: &mysql - adapter: mysql - pool: 30 - login: &login - username: user - password: password123 - development: &development - <<: *mysql - <<: *login - host: localhost - YAML - - result.should == { - "mysql" => { - "adapter" => "mysql", - "pool" => 30 - }, - "login" => { - "username" => "user", - "password" => "password123" - }, - "development" => { - "adapter" => "mysql", - "pool" => 30, - "username" => "user", - "password" => "password123", - "host" => "localhost" - } - } - end - - it "correctly prefers explicitly defined values over default values from included sections" do - # Repeating this test 100 times to increase the likelihood of running into an issue caused by - # non-deterministic hash key enumeration. - 100.times do - result = YAML.safe_load <<-YAML - defaults: &defaults - foo: foo - bar: bar - baz: baz - custom: - <<: *defaults - bar: custom_bar - baz: custom_baz - YAML - - result["custom"].should == { - "foo" => "foo", - "bar" => "custom_bar", - "baz" => "custom_baz" - } - end - end - - it "works with multi-level inheritance" do - result = YAML.safe_load <<-YAML - defaults: &defaults - foo: foo - bar: bar - baz: baz - custom: &custom - <<: *defaults - bar: custom_bar - baz: custom_baz - grandcustom: &grandcustom - <<: *custom - YAML - - result.should == { - "defaults" => { "foo" => "foo", "bar" => "bar", "baz" => "baz" }, - "custom" => { "foo" => "foo", "bar" => "custom_bar", "baz" => "custom_baz" }, - "grandcustom" => { "foo" => "foo", "bar" => "custom_bar", "baz" => "custom_baz" } - } - end - - it "returns false when parsing an empty document" do - result = YAML.safe_load "" - result.should == false - end - - context "with custom initializers defined" do - before :each do - if SafeYAML::YAML_ENGINE == "psych" - SafeYAML::OPTIONS[:custom_initializers] = { - "!set" => lambda { Set.new }, - "!hashiemash" => lambda { Hashie::Mash.new } - } - else - SafeYAML::OPTIONS[:custom_initializers] = { - "tag:yaml.org,2002:set" => lambda { Set.new }, - "tag:yaml.org,2002:hashiemash" => lambda { Hashie::Mash.new } - } - end - end - - it "will use a custom initializer to instantiate an array-like class upon deserialization" do - result = YAML.safe_load <<-YAML.unindent - --- !set - - 1 - - 2 - - 3 - YAML - - result.should be_a(Set) - result.to_a.should =~ [1, 2, 3] - end - - it "will use a custom initializer to instantiate a hash-like class upon deserialization" do - result = YAML.safe_load <<-YAML.unindent - --- !hashiemash - foo: bar - YAML - - result.should be_a(Hashie::Mash) - result.to_hash.should == { "foo" => "bar" } - end - end - - context "with special whitelisted tags defined" do - before :each do - SafeYAML::whitelist!(OpenStruct) - - # Necessary for deserializing OpenStructs properly. - SafeYAML::OPTIONS[:deserialize_symbols] = true - end - - it "will allow objects to be deserialized for whitelisted tags" do - result = YAML.safe_load("--- !ruby/object:OpenStruct\ntable:\n foo: bar\n") - result.should be_a(OpenStruct) - result.instance_variable_get(:@table).should == { "foo" => "bar" } - end - - it "will not deserialize objects without whitelisted tags" do - result = YAML.safe_load("--- !ruby/hash:ExploitableBackDoor\nfoo: bar\n") - result.should_not be_a(ExploitableBackDoor) - result.should == { "foo" => "bar" } - end - - it "will not allow non-whitelisted objects to be embedded within objects with whitelisted tags" do - result = YAML.safe_load <<-YAML.unindent - --- !ruby/object:OpenStruct - table: - :backdoor: !ruby/object:ExploitableBackDoor - foo: bar - YAML - - result.should be_a(OpenStruct) - result.backdoor.should_not be_a(ExploitableBackDoor) - result.backdoor.should == { "foo" => "bar" } - end - - context "with the :raise_on_unknown_tag option enabled" do - before :each do - SafeYAML::OPTIONS[:raise_on_unknown_tag] = true - end - - after :each do - SafeYAML.restore_defaults! - end - - it "raises an exception if a non-nil, non-whitelisted tag is encountered" do - lambda { - YAML.safe_load <<-YAML.unindent - --- !ruby/object:Unknown - foo: bar - YAML - }.should raise_error - end - - it "checks all tags, even those within objects with trusted tags" do - lambda { - YAML.safe_load <<-YAML.unindent - --- !ruby/object:OpenStruct - table: - :backdoor: !ruby/object:Unknown - foo: bar - YAML - }.should raise_error - end - - it "does not raise an exception as long as all tags are whitelisted" do - result = YAML.safe_load <<-YAML.unindent - --- !ruby/object:OpenStruct - table: - :backdoor: - string: foo - integer: 1 - float: 3.14 - symbol: :bar - date: 2013-02-20 - array: [] - hash: {} - YAML - - result.should be_a(OpenStruct) - result.backdoor.should == { - "string" => "foo", - "integer" => 1, - "float" => 3.14, - "symbol" => :bar, - "date" => Date.parse("2013-02-20"), - "array" => [], - "hash" => {} - } - end - - it "does not raise an exception on the non-specific '!' tag" do - result = nil - expect { result = YAML.safe_load "--- ! 'foo'" }.to_not raise_error - result.should == "foo" - end - - context "with whitelisted custom class" do - class SomeClass - attr_accessor :foo - end - let(:instance) { SomeClass.new } - - before do - SafeYAML::whitelist!(SomeClass) - instance.foo = 'with trailing whitespace: ' - end - - it "does not raise an exception on the non-specific '!' tag" do - result = nil - expect { result = YAML.safe_load(instance.to_yaml) }.to_not raise_error - result.foo.should == 'with trailing whitespace: ' - end - end - end - end - - context "when options are passed direclty to #load which differ from the defaults" do - let(:default_options) { {} } - - before :each do - SafeYAML::OPTIONS.merge!(default_options) - end - - context "(for example, when symbol deserialization is enabled by default)" do - let(:default_options) { { :deserialize_symbols => true } } - - it "goes with the default option when it is not overridden" do - silence_warnings do - YAML.load(":foo: bar").should == { :foo => "bar" } - end - end - - it "allows the default option to be overridden on a per-call basis" do - silence_warnings do - YAML.load(":foo: bar", :deserialize_symbols => false).should == { ":foo" => "bar" } - YAML.load(":foo: bar", :deserialize_symbols => true).should == { :foo => "bar" } - end - end - end - - context "(or, for example, when certain tags are whitelisted)" do - let(:default_options) { - { - :deserialize_symbols => true, - :whitelisted_tags => SafeYAML::YAML_ENGINE == "psych" ? - ["!ruby/object:OpenStruct"] : - ["tag:ruby.yaml.org,2002:object:OpenStruct"] - } - } - - it "goes with the default option when it is not overridden" do - result = safe_load_round_trip(OpenStruct.new(:foo => "bar")) - result.should be_a(OpenStruct) - result.foo.should == "bar" - end - - it "allows the default option to be overridden on a per-call basis" do - result = safe_load_round_trip(OpenStruct.new(:foo => "bar"), :whitelisted_tags => []) - result.should == { "table" => { :foo => "bar" } } - - result = safe_load_round_trip(OpenStruct.new(:foo => "bar"), :deserialize_symbols => false, :whitelisted_tags => []) - result.should == { "table" => { ":foo" => "bar" } } - end - end - end - end - - describe "unsafe_load_file" do - if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.3" - it "allows exploits through objects defined in YAML w/ !ruby/hash via custom :[]= methods" do - backdoor = YAML.unsafe_load_file "spec/exploit.1.9.3.yaml" - backdoor.should be_exploited_through_setter - end - end - - if SafeYAML::YAML_ENGINE == "psych" && RUBY_VERSION >= "1.9.2" - it "allows exploits through objects defined in YAML w/ !ruby/object via the :init_with method" do - backdoor = YAML.unsafe_load_file "spec/exploit.1.9.2.yaml" - backdoor.should be_exploited_through_init_with - end - end - - it "allows exploits through objects w/ sensitive instance variables defined in YAML w/ !ruby/object" do - backdoor = YAML.unsafe_load_file "spec/exploit.1.9.2.yaml" - backdoor.should be_exploited_through_ivars - end - end - - describe "safe_load_file" do - it "does NOT allow exploits through objects defined in YAML w/ !ruby/hash" do - object = YAML.safe_load_file "spec/exploit.1.9.3.yaml" - object.should_not be_a(ExploitableBackDoor) - end - - it "does NOT allow exploits through objects defined in YAML w/ !ruby/object" do - object = YAML.safe_load_file "spec/exploit.1.9.2.yaml" - object.should_not be_a(ExploitableBackDoor) - end - end - - describe "load" do - let(:options) { {} } - - let (:arguments) { - if SafeYAML::MULTI_ARGUMENT_YAML_LOAD - ["foo: bar", nil, options] - else - ["foo: bar", options] - end - } - - context "as long as a :default_mode has been specified" do - it "doesn't issue a warning for safe mode, since an explicit mode has been set" do - SafeYAML::OPTIONS[:default_mode] = :safe - Kernel.should_not_receive(:warn) - YAML.load(*arguments) - end - - it "doesn't issue a warning for unsafe mode, since an explicit mode has been set" do - SafeYAML::OPTIONS[:default_mode] = :unsafe - Kernel.should_not_receive(:warn) - YAML.load(*arguments) - end - end - - context "when the :safe options is specified" do - let(:safe_mode) { true } - let(:options) { { :safe => safe_mode } } - - it "doesn't issue a warning" do - Kernel.should_not_receive(:warn) - YAML.load(*arguments) - end - - it "calls #safe_load if the :safe option is set to true" do - YAML.should_receive(:safe_load) - YAML.load(*arguments) - end - - context "when the :safe option is set to false" do - let(:safe_mode) { false } - - it "calls #unsafe_load if the :safe option is set to false" do - YAML.should_receive(:unsafe_load) - YAML.load(*arguments) - end - end - end - - it "issues a warning when the :safe option is omitted" do - silence_warnings do - Kernel.should_receive(:warn) - YAML.load(*arguments) - end - end - - it "only issues a warning once (to avoid spamming an app's output)" do - silence_warnings do - Kernel.should_receive(:warn).once - 2.times { YAML.load(*arguments) } - end - end - - it "defaults to safe mode if the :safe option is omitted" do - silence_warnings do - YAML.should_receive(:safe_load) - YAML.load(*arguments) - end - end - - context "with the default mode set to :unsafe" do - before :each do - SafeYAML::OPTIONS[:default_mode] = :unsafe - end - - it "defaults to unsafe mode if the :safe option is omitted" do - silence_warnings do - YAML.should_receive(:unsafe_load) - YAML.load(*arguments) - end - end - - it "calls #safe_load if the :safe option is set to true" do - YAML.should_receive(:safe_load) - YAML.load(*(arguments + [{ :safe => true }])) - end - end - end - - describe "load_file" do - let(:filename) { "spec/exploit.1.9.2.yaml" } # doesn't really matter - - it "issues a warning if the :safe option is omitted" do - silence_warnings do - Kernel.should_receive(:warn) - YAML.load_file(filename) - end - end - - it "doesn't issue a warning as long as the :safe option is specified" do - Kernel.should_not_receive(:warn) - YAML.load_file(filename, :safe => true) - end - - it "defaults to safe mode if the :safe option is omitted" do - silence_warnings do - YAML.should_receive(:safe_load_file) - YAML.load_file(filename) - end - end - - it "calls #safe_load_file if the :safe option is set to true" do - YAML.should_receive(:safe_load_file) - YAML.load_file(filename, :safe => true) - end - - it "calls #unsafe_load_file if the :safe option is set to false" do - YAML.should_receive(:unsafe_load_file) - YAML.load_file(filename, :safe => false) - end - - context "with arbitrary object deserialization enabled by default" do - before :each do - SafeYAML::OPTIONS[:default_mode] = :unsafe - end - - it "defaults to unsafe mode if the :safe option is omitted" do - silence_warnings do - YAML.should_receive(:unsafe_load_file) - YAML.load_file(filename) - end - end - - it "calls #safe_load if the :safe option is set to true" do - YAML.should_receive(:safe_load_file) - YAML.load_file(filename, :safe => true) - end - end - end - - describe "whitelist!" do - context "not a class" do - it "should raise" do - expect { SafeYAML::whitelist! :foo }.to raise_error(/not a Class/) - SafeYAML::OPTIONS[:whitelisted_tags].should be_empty - end - end - - context "anonymous class" do - it "should raise" do - expect { SafeYAML::whitelist! Class.new }.to raise_error(/cannot be anonymous/) - SafeYAML::OPTIONS[:whitelisted_tags].should be_empty - end - end - - context "with a Class as its argument" do - it "should configure correctly" do - expect { SafeYAML::whitelist! OpenStruct }.to_not raise_error - SafeYAML::OPTIONS[:whitelisted_tags].grep(/OpenStruct\Z/).should_not be_empty - end - - it "successfully deserializes the specified class" do - SafeYAML.whitelist!(OpenStruct) - - # necessary for properly assigning OpenStruct attributes - SafeYAML::OPTIONS[:deserialize_symbols] = true - - result = safe_load_round_trip(OpenStruct.new(:foo => "bar")) - result.should be_a(OpenStruct) - result.foo.should == "bar" - end - - it "works for ranges" do - SafeYAML.whitelist!(Range) - safe_load_round_trip(1..10).should == (1..10) - end - - it "works for regular expressions" do - SafeYAML.whitelist!(Regexp) - safe_load_round_trip(/foo/).should == /foo/ - end - - it "works for multiple classes" do - SafeYAML.whitelist!(Range, Regexp) - safe_load_round_trip([(1..10), /bar/]).should == [(1..10), /bar/] - end - - it "works for arbitrary Exception subclasses" do - class CustomException < Exception - attr_reader :custom_message - - def initialize(custom_message) - @custom_message = custom_message - end - end - - SafeYAML.whitelist!(CustomException) - - ex = safe_load_round_trip(CustomException.new("blah")) - ex.should be_a(CustomException) - ex.custom_message.should == "blah" - end - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/spec_helper.rb b/lib/puppet/vendor/safe_yaml/spec/spec_helper.rb deleted file mode 100644 index 17c849d08..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/spec_helper.rb +++ /dev/null @@ -1,18 +0,0 @@ -HERE = File.dirname(__FILE__) unless defined?(HERE) -ROOT = File.join(HERE, "..") unless defined?(ROOT) - -$LOAD_PATH << File.join(ROOT, "lib") -$LOAD_PATH << File.join(HERE, "support") - -require "yaml" -if ENV["YAMLER"] && defined?(YAML::ENGINE) - YAML::ENGINE.yamler = ENV["YAMLER"] - puts "Running specs in Ruby #{RUBY_VERSION} with '#{YAML::ENGINE.yamler}' YAML engine." -end - -require "safe_yaml" -require "ostruct" -require "hashie" -require "heredoc_unindent" - -require File.join(HERE, "resolver_specs") diff --git a/lib/puppet/vendor/safe_yaml/spec/support/exploitable_back_door.rb b/lib/puppet/vendor/safe_yaml/spec/support/exploitable_back_door.rb deleted file mode 100644 index 48754b463..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/support/exploitable_back_door.rb +++ /dev/null @@ -1,29 +0,0 @@ -class ExploitableBackDoor - def exploited? - @exploited_through_setter || @exploited_through_init_with || @exploited_through_ivars - end - - def exploited_through_setter? - @exploited_through_setter - end - - def exploited_through_init_with? - @exploited_through_init_with - end - - def exploited_through_ivars? - self.instance_variables.any? - end - - def init_with(command) - # Note: this is how bad this COULD be. - # system("#{command}") - @exploited_through_init_with = true - end - - def []=(command, arguments) - # Note: this is how bad this COULD be. - # system("#{command} #{arguments}") - @exploited_through_setter = true - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/syck_resolver_spec.rb b/lib/puppet/vendor/safe_yaml/spec/syck_resolver_spec.rb deleted file mode 100644 index a9c542195..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/syck_resolver_spec.rb +++ /dev/null @@ -1,10 +0,0 @@ -require File.join(File.dirname(__FILE__), "spec_helper") - -if SafeYAML::YAML_ENGINE == "syck" - require "safe_yaml/syck_resolver" - - describe SafeYAML::SyckResolver do - include ResolverSpecs - let(:resolver) { SafeYAML::SyckResolver.new } - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/transform/base64_spec.rb b/lib/puppet/vendor/safe_yaml/spec/transform/base64_spec.rb deleted file mode 100644 index da872fb1e..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/transform/base64_spec.rb +++ /dev/null @@ -1,11 +0,0 @@ -require File.join(File.dirname(__FILE__), "..", "spec_helper") - -describe SafeYAML::Transform do - it "should return the same encoding when decoding Base64" do - value = "c3VyZS4=" - decoded = SafeYAML::Transform.to_proper_type(value, false, "!binary") - - decoded.should == "sure." - decoded.encoding.should == value.encoding if decoded.respond_to?(:encoding) - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/transform/to_date_spec.rb b/lib/puppet/vendor/safe_yaml/spec/transform/to_date_spec.rb deleted file mode 100644 index 4c5429e6c..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/transform/to_date_spec.rb +++ /dev/null @@ -1,34 +0,0 @@ -require File.join(File.dirname(__FILE__), "..", "spec_helper") - -describe SafeYAML::Transform::ToDate do - it "returns true when the value matches a valid Date" do - subject.transform?("2013-01-01").should == [true, Date.parse("2013-01-01")] - end - - it "returns false when the value does not match a valid Date" do - subject.transform?("foobar").should be_false - end - - it "returns false when the value does not end with a Date" do - subject.transform?("2013-01-01\nNOT A DATE").should be_false - end - - it "returns false when the value does not begin with a Date" do - subject.transform?("NOT A DATE\n2013-01-01").should be_false - end - - it "correctly parses the remaining formats of the YAML spec" do - equivalent_values = [ - "2001-12-15T02:59:43.1Z", # canonical - "2001-12-14t21:59:43.10-05:00", # iso8601 - "2001-12-14 21:59:43.10 -5", # space separated - "2001-12-15 2:59:43.10" # no time zone (Z) - ] - - equivalent_values.each do |value| - success, result = subject.transform?(value) - success.should be_true - result.should == Time.utc(2001, 12, 15, 2, 59, 43, 100000) - end - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/transform/to_float_spec.rb b/lib/puppet/vendor/safe_yaml/spec/transform/to_float_spec.rb deleted file mode 100644 index 9f56685b5..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/transform/to_float_spec.rb +++ /dev/null @@ -1,42 +0,0 @@ -require File.join(File.dirname(__FILE__), "..", "spec_helper") - -describe SafeYAML::Transform::ToFloat do - it "returns true when the value matches a valid Float" do - subject.transform?("20.00").should == [true, 20.0] - end - - it "returns false when the value does not match a valid Float" do - subject.transform?("foobar").should be_false - end - - it "returns false when the value spans multiple lines" do - subject.transform?("20.00\nNOT A FLOAT").should be_false - end - - it "correctly parses all formats in the YAML spec" do - # canonical - subject.transform?("6.8523015e+5").should == [true, 685230.15] - - # exponentioal - subject.transform?("685.230_15e+03").should == [true, 685230.15] - - # fixed - subject.transform?("685_230.15").should == [true, 685230.15] - - # sexagesimal - subject.transform?("190:20:30.15").should == [true, 685230.15] - - # infinity - subject.transform?("-.inf").should == [true, (-1.0 / 0.0)] - - # not a number - # NOTE: can't use == here since NaN != NaN - success, result = subject.transform?(".NaN") - success.should be_true; result.should be_nan - end - - # issue 29 - it "returns false for the string '.'" do - subject.transform?(".").should be_false - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/transform/to_integer_spec.rb b/lib/puppet/vendor/safe_yaml/spec/transform/to_integer_spec.rb deleted file mode 100644 index 8423417ca..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/transform/to_integer_spec.rb +++ /dev/null @@ -1,59 +0,0 @@ -require File.join(File.dirname(__FILE__), "..", "spec_helper") - -describe SafeYAML::Transform::ToInteger do - it "returns true when the value matches a valid Integer" do - subject.transform?("10").should == [true, 10] - end - - it "returns false when the value does not match a valid Integer" do - subject.transform?("foobar").should be_false - end - - it "returns false when the value spans multiple lines" do - subject.transform?("10\nNOT AN INTEGER").should be_false - end - - it "allows commas in the number" do - subject.transform?("1,000").should == [true, 1000] - end - - it "correctly parses numbers in octal format" do - subject.transform?("010").should == [true, 8] - end - - it "correctly parses numbers in hexadecimal format" do - subject.transform?("0x1FF").should == [true, 511] - end - - it "defaults to a string for a number that resembles octal format but is not" do - subject.transform?("09").should be_false - end - - it "correctly parses 0 in decimal" do - subject.transform?("0").should == [true, 0] - end - - it "defaults to a string for a number that resembles hexadecimal format but is not" do - subject.transform?("0x1G").should be_false - end - - it "correctly parses all formats in the YAML spec" do - # canonical - subject.transform?("685230").should == [true, 685230] - - # decimal - subject.transform?("+685_230").should == [true, 685230] - - # octal - subject.transform?("02472256").should == [true, 685230] - - # hexadecimal: - subject.transform?("0x_0A_74_AE").should == [true, 685230] - - # binary - subject.transform?("0b1010_0111_0100_1010_1110").should == [true, 685230] - - # sexagesimal - subject.transform?("190:20:30").should == [true, 685230] - end -end diff --git a/lib/puppet/vendor/safe_yaml/spec/transform/to_symbol_spec.rb b/lib/puppet/vendor/safe_yaml/spec/transform/to_symbol_spec.rb deleted file mode 100644 index aaa33390c..000000000 --- a/lib/puppet/vendor/safe_yaml/spec/transform/to_symbol_spec.rb +++ /dev/null @@ -1,49 +0,0 @@ -require File.join(File.dirname(__FILE__), "..", "spec_helper") - -describe SafeYAML::Transform::ToSymbol do - def with_symbol_deserialization_value(value) - symbol_deserialization_flag = SafeYAML::OPTIONS[:deserialize_symbols] - SafeYAML::OPTIONS[:deserialize_symbols] = value - - yield - - ensure - SafeYAML::OPTIONS[:deserialize_symbols] = symbol_deserialization_flag - end - - def with_symbol_deserialization(&block) - with_symbol_deserialization_value(true, &block) - end - - def without_symbol_deserialization(&block) - with_symbol_deserialization_value(false, &block) - end - - it "returns true when the value matches a valid Symbol" do - with_symbol_deserialization { subject.transform?(":foo")[0].should be_true } - end - - it "returns true when the value matches a valid String+Symbol" do - with_symbol_deserialization { subject.transform?(':"foo"')[0].should be_true } - end - - it "returns false when symbol deserialization is disabled" do - without_symbol_deserialization { subject.transform?(":foo").should be_false } - end - - it "returns false when the value does not match a valid Symbol" do - with_symbol_deserialization { subject.transform?("foo").should be_false } - end - - it "returns false when the symbol does not begin the line" do - with_symbol_deserialization do - subject.transform?("NOT A SYMBOL\n:foo").should be_false - end - end - - it "returns false when the symbol does not end the line" do - with_symbol_deserialization do - subject.transform?(":foo\nNOT A SYMBOL").should be_false - end - end -end diff --git a/lib/puppet/vendor/safe_yaml_patches.rb b/lib/puppet/vendor/safe_yaml_patches.rb deleted file mode 100644 index 8c4763e72..000000000 --- a/lib/puppet/vendor/safe_yaml_patches.rb +++ /dev/null @@ -1,9 +0,0 @@ -module SafeYAML - class Parse - class Date - def self.value(value) - Time.parse(value) - end - end - end -end