* ext/psych/parser.c (parse): strings from psych have proper taint

markings. * test/psych/test_tainted.rb: test for string taint git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31317 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2011-04-21 19:17:46 +00:00 · 2011-04-21 19:17:46 +00:00 · 8968bd14fa
commit 8968bd14fa
parent 0efb462a50
3 changed files with 149 additions and 0 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+Fri Apr 22 04:16:14 2011  Aaron Patterson <aaron@tenderlovemaking.com>
+
+	* ext/psych/parser.c (parse): strings from psych have proper taint
+	  markings.
+
+	* test/psych/test_tainted.rb: test for string taint
+
 Thu Apr 21 01:30:02 2011  NARUSE, Yui  <naruse@ruby-lang.org>

 	* random.c (rb_f_srand): fix rdoc: srand(0)'s 0 is a seed.
--- a/ext/psych/parser.c
+++ b/ext/psych/parser.c
@ -73,6 +73,7 @@ static VALUE parse(VALUE self, VALUE yaml)
    yaml_parser_t * parser;
    yaml_event_t event;
    int done = 0;
+    int tainted = 0;
 #ifdef HAVE_RUBY_ENCODING_H
    int encoding = rb_utf8_encindex();
    rb_encoding * internal_enc = rb_default_internal_encoding();
@ -81,8 +82,11 @@ static VALUE parse(VALUE self, VALUE yaml)

    Data_Get_Struct(self, yaml_parser_t, parser);

+    if (OBJ_TAINTED(yaml)) tainted = 1;
+
    if(rb_respond_to(yaml, id_read)) {
 	yaml_parser_set_input(parser, io_reader, (void *)yaml);
+	if (RTEST(rb_obj_is_kind_of(yaml, rb_cIO))) tainted = 1;
    } else {
 	StringValue(yaml);
 	yaml_parser_set_input_string(
@ -140,6 +144,7 @@ static VALUE parse(VALUE self, VALUE yaml)
 			VALUE prefix = Qnil;
 			if(start->handle) {
 			    handle = rb_str_new2((const char *)start->handle);
+			    if (tainted) OBJ_TAINT(handle);
 #ifdef HAVE_RUBY_ENCODING_H
 			    PSYCH_TRANSCODE(handle, encoding, internal_enc);
 #endif
@ -147,6 +152,7 @@ static VALUE parse(VALUE self, VALUE yaml)

 			if(start->prefix) {
 			    prefix = rb_str_new2((const char *)start->prefix);
+			    if (tainted) OBJ_TAINT(prefix);
 #ifdef HAVE_RUBY_ENCODING_H
 			    PSYCH_TRANSCODE(prefix, encoding, internal_enc);
 #endif
@ -171,6 +177,7 @@ static VALUE parse(VALUE self, VALUE yaml)
 		VALUE alias = Qnil;
 		if(event.data.alias.anchor) {
 		    alias = rb_str_new2((const char *)event.data.alias.anchor);
+		    if (tainted) OBJ_TAINT(alias);
 #ifdef HAVE_RUBY_ENCODING_H
 		    PSYCH_TRANSCODE(alias, encoding, internal_enc);
 #endif
@ -188,6 +195,7 @@ static VALUE parse(VALUE self, VALUE yaml)
 		    (const char *)event.data.scalar.value,
 		    (long)event.data.scalar.length
 		    );
+		if (tainted) OBJ_TAINT(val);

 #ifdef HAVE_RUBY_ENCODING_H
 		PSYCH_TRANSCODE(val, encoding, internal_enc);
@ -195,6 +203,7 @@ static VALUE parse(VALUE self, VALUE yaml)

 		if(event.data.scalar.anchor) {
 		    anchor = rb_str_new2((const char *)event.data.scalar.anchor);
+		    if (tainted) OBJ_TAINT(anchor);
 #ifdef HAVE_RUBY_ENCODING_H
 		    PSYCH_TRANSCODE(anchor, encoding, internal_enc);
 #endif
@ -202,6 +211,7 @@ static VALUE parse(VALUE self, VALUE yaml)

 		if(event.data.scalar.tag) {
 		    tag = rb_str_new2((const char *)event.data.scalar.tag);
+		    if (tainted) OBJ_TAINT(tag);
 #ifdef HAVE_RUBY_ENCODING_H
 		    PSYCH_TRANSCODE(tag, encoding, internal_enc);
 #endif
@ -226,6 +236,7 @@ static VALUE parse(VALUE self, VALUE yaml)
 		VALUE implicit, style;
 		if(event.data.sequence_start.anchor) {
 		    anchor = rb_str_new2((const char *)event.data.sequence_start.anchor);
+		    if (tainted) OBJ_TAINT(anchor);
 #ifdef HAVE_RUBY_ENCODING_H
 		    PSYCH_TRANSCODE(anchor, encoding, internal_enc);
 #endif
@ -234,6 +245,7 @@ static VALUE parse(VALUE self, VALUE yaml)
 		tag = Qnil;
 		if(event.data.sequence_start.tag) {
 		    tag = rb_str_new2((const char *)event.data.sequence_start.tag);
+		    if (tainted) OBJ_TAINT(tag);
 #ifdef HAVE_RUBY_ENCODING_H
 		    PSYCH_TRANSCODE(tag, encoding, internal_enc);
 #endif
@ -258,6 +270,7 @@ static VALUE parse(VALUE self, VALUE yaml)
 		VALUE implicit, style;
 		if(event.data.mapping_start.anchor) {
 		    anchor = rb_str_new2((const char *)event.data.mapping_start.anchor);
+		    if (tainted) OBJ_TAINT(anchor);
 #ifdef HAVE_RUBY_ENCODING_H
 		    PSYCH_TRANSCODE(anchor, encoding, internal_enc);
 #endif
@ -265,6 +278,7 @@ static VALUE parse(VALUE self, VALUE yaml)

 		if(event.data.mapping_start.tag) {
 		    tag = rb_str_new2((const char *)event.data.mapping_start.tag);
+		    if (tainted) OBJ_TAINT(tag);
 #ifdef HAVE_RUBY_ENCODING_H
 		    PSYCH_TRANSCODE(tag, encoding, internal_enc);
 #endif
--- a/test/psych/test_tainted.rb
+++ b/test/psych/test_tainted.rb
@ -0,0 +1,128 @@
+require 'psych/helper'
+
+module Psych
+  class TestStringTainted < TestCase
+    class Tainted < Handler
+      attr_reader :tc
+
+      def initialize tc
+        @tc = tc
+      end
+
+      def start_document version, tags, implicit
+        tags.flatten.each do |tag|
+          assert_taintedness tag
+        end
+      end
+
+      def alias name
+        assert_taintedness name
+      end
+
+      def scalar value, anchor, tag, plain, quoted, style
+        assert_taintedness value
+        assert_taintedness tag if tag
+        assert_taintedness anchor if anchor
+      end
+
+      def start_sequence anchor, tag, implicit, style
+        assert_taintedness tag if tag
+        assert_taintedness anchor if anchor
+      end
+
+      def start_mapping anchor, tag, implicit, style
+        assert_taintedness tag if tag
+        assert_taintedness anchor if anchor
+      end
+
+      def assert_taintedness thing, message = "'#{thing}' should be tainted"
+        tc.assert thing.tainted?, message
+      end
+    end
+
+    class Untainted < Tainted
+      def assert_taintedness thing, message = "'#{thing}' should not be tainted"
+        tc.assert !thing.tainted?, message
+      end
+    end
+
+
+    def setup
+      handler = Tainted.new self
+      @parser = Psych::Parser.new handler
+    end
+
+    def test_tags_are_tainted
+      assert_taintedness "%TAG !yaml! tag:yaml.org,2002:\n---\n!yaml!str \"foo\""
+    end
+
+    def test_alias
+      assert_taintedness  "--- &ponies\n- foo\n- *ponies"
+    end
+
+    def test_scalar
+      assert_taintedness "--- ponies"
+    end
+
+    def test_anchor
+      assert_taintedness "--- &hi ponies"
+    end
+
+    def test_scalar_tag
+      assert_taintedness "--- !str ponies"
+    end
+
+    def test_seq_start_tag
+      assert_taintedness "--- !!seq [ a ]"
+    end
+
+    def test_seq_start_anchor
+      assert_taintedness "--- &zomg [ a ]"
+    end
+
+    def test_seq_mapping_tag
+      assert_taintedness "--- !!map { a: b }"
+    end
+
+    def test_seq_mapping_anchor
+      assert_taintedness "--- &himom { a: b }"
+    end
+
+    def assert_taintedness string
+      @parser.parse string.taint
+    end
+  end
+
+  class TestStringUntainted < TestStringTainted
+    def setup
+      handler = Untainted.new self
+      @parser = Psych::Parser.new handler
+    end
+
+    def assert_taintedness string
+      @parser.parse string
+    end
+  end
+
+  class TestStringIOUntainted < TestStringTainted
+    def setup
+      handler = Untainted.new self
+      @parser = Psych::Parser.new handler
+    end
+
+    def assert_taintedness string
+      @parser.parse StringIO.new(string)
+    end
+  end
+
+  class TestIOTainted < TestStringTainted
+    def assert_taintedness string
+      t = Tempfile.new(['something', 'yml'])
+      t.binmode
+      t.write string
+      t.close
+      File.open(t.path) { |f| @parser.parse f }
+      t.close(true)
+    end
+  end
+end