diff --git a/jekyll.gemspec b/jekyll.gemspec index 0de0c969d..86cbd1e81 100644 --- a/jekyll.gemspec +++ b/jekyll.gemspec @@ -30,6 +30,7 @@ Gem::Specification.new do |s| s.add_runtime_dependency('kramdown', "~> 0.13.4") s.add_runtime_dependency('pygments.rb', "~> 0.3.2") s.add_runtime_dependency('commander', "~> 4.1.3") + s.add_runtime_dependency('safe_yaml', "~> 0.4") s.add_development_dependency('rake', "~> 0.9") s.add_development_dependency('rdoc', "~> 3.11") diff --git a/lib/jekyll.rb b/lib/jekyll.rb index 477247dd1..2c1ab0e63 100644 --- a/lib/jekyll.rb +++ b/lib/jekyll.rb @@ -18,7 +18,7 @@ require 'rubygems' # stdlib require 'fileutils' require 'time' -require 'yaml' +require 'safe_yaml' require 'English' # 3rd party diff --git a/lib/jekyll/migrators/drupal.rb b/lib/jekyll/migrators/drupal.rb index 7fd16aef1..6acd5de02 100644 --- a/lib/jekyll/migrators/drupal.rb +++ b/lib/jekyll/migrators/drupal.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/joomla.rb b/lib/jekyll/migrators/joomla.rb index 87f1e105d..c7e724761 100644 --- a/lib/jekyll/migrators/joomla.rb +++ b/lib/jekyll/migrators/joomla.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This migrator is made for Joomla 1.5 databases. # NOTE: This converter requires Sequel and the MySQL gems. diff --git a/lib/jekyll/migrators/marley.rb b/lib/jekyll/migrators/marley.rb index 21bcead5d..3aa74f49b 100644 --- a/lib/jekyll/migrators/marley.rb +++ b/lib/jekyll/migrators/marley.rb @@ -1,4 +1,4 @@ -require 'yaml' +require 'safe_yaml' require 'fileutils' module Jekyll diff --git a/lib/jekyll/migrators/mt.rb b/lib/jekyll/migrators/mt.rb index 048c84dbd..09d89a792 100644 --- a/lib/jekyll/migrators/mt.rb +++ b/lib/jekyll/migrators/mt.rb @@ -5,7 +5,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/rss.rb b/lib/jekyll/migrators/rss.rb index 461abd358..fec3d07c9 100644 --- a/lib/jekyll/migrators/rss.rb +++ b/lib/jekyll/migrators/rss.rb @@ -13,7 +13,7 @@ require 'rss/1.0' require 'rss/2.0' require 'open-uri' require 'fileutils' -require 'yaml' +require 'safe_yaml' module Jekyll module MigrateRSS diff --git a/lib/jekyll/migrators/textpattern.rb b/lib/jekyll/migrators/textpattern.rb index 3b370ed96..9eca25308 100644 --- a/lib/jekyll/migrators/textpattern.rb +++ b/lib/jekyll/migrators/textpattern.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/typo.rb b/lib/jekyll/migrators/typo.rb index adb8be96f..0bf584563 100644 --- a/lib/jekyll/migrators/typo.rb +++ b/lib/jekyll/migrators/typo.rb @@ -2,7 +2,7 @@ require 'fileutils' require 'rubygems' require 'sequel' -require 'yaml' +require 'safe_yaml' module Jekyll module Typo diff --git a/lib/jekyll/migrators/wordpress.rb b/lib/jekyll/migrators/wordpress.rb index 61e00ad15..8d0ecf718 100644 --- a/lib/jekyll/migrators/wordpress.rb +++ b/lib/jekyll/migrators/wordpress.rb @@ -1,7 +1,7 @@ require 'rubygems' require 'sequel' require 'fileutils' -require 'yaml' +require 'safe_yaml' # NOTE: This converter requires Sequel and the MySQL gems. # The MySQL gem can be difficult to install on OS X. Once you have MySQL diff --git a/lib/jekyll/migrators/wordpressdotcom.rb b/lib/jekyll/migrators/wordpressdotcom.rb index 286c302fa..bf4233842 100644 --- a/lib/jekyll/migrators/wordpressdotcom.rb +++ b/lib/jekyll/migrators/wordpressdotcom.rb @@ -3,7 +3,7 @@ require 'rubygems' require 'hpricot' require 'fileutils' -require 'yaml' +require 'safe_yaml' require 'time' module Jekyll diff --git a/test/fixtures/exploit_front_matter.erb b/test/fixtures/exploit_front_matter.erb new file mode 100644 index 000000000..604a7ae9b --- /dev/null +++ b/test/fixtures/exploit_front_matter.erb @@ -0,0 +1,4 @@ +--- +test: !ruby/hash:DoesNotExist {} +--- +Real content starts here diff --git a/test/test_convertible.rb b/test/test_convertible.rb index 82e4d27fd..3940f0309 100644 --- a/test/test_convertible.rb +++ b/test/test_convertible.rb @@ -29,6 +29,13 @@ class TestConvertible < Test::Unit::TestCase assert_match(/#{File.join(@base, name)}/, out) end + should "not allow ruby objects in yaml" do + out = capture_stdout do + @convertible.read_yaml(@base, 'exploit_front_matter.erb') + end + assert_no_match /undefined class\/module DoesNotExist/, out + end + if RUBY_VERSION >= '1.9.2' should "not parse if there is encoding error in file" do name = 'broken_front_matter3.erb'