yaml.safeLoad()

Fixes #65
jxson · May 15, 2020 · 1d9094f · 1d9094f
1 parent c50fd45
commit 1d9094f
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 7 deletions.
diff --git a/examples/unsafe.md b/examples/unsafe.md
@@ -0,0 +1,5 @@
+---
+"toString": !<tag:yaml.org,2002:js/function> "function (){very_evil_thing();}"
+---
+
+Hi there!
diff --git a/index.js b/index.js
@@ -16,12 +16,12 @@ var regex = new RegExp(pattern, 'm')
 module.exports = extractor
 module.exports.test = test
 
-function extractor (string) {
+function extractor (string, allowUnsafe = false) {
   string = string || ''
 
   var lines = string.split(/(\r?\n)/)
   if (lines[0] && /= yaml =|---/.test(lines[0])) {
-    return parse(string)
+    return parse(string, allowUnsafe)
   } else {
     return {
       attributes: {},
@@ -47,7 +47,7 @@ function computeLocation (match, body) {
   return line
 }
 
-function parse (string) {
+function parse (string, allowUnsafe) {
   var match = regex.exec(string)
   if (!match) {
     return {
@@ -57,8 +57,9 @@ function parse (string) {
     }
   }
 
+  var loader = allowUnsafe ? parser.load : parser.safeLoad
   var yaml = match[match.length - 1].replace(/^\s+|\s+$/g, '')
-  var attributes = parser.load(yaml) || {}
+  var attributes = loader(yaml) || {}
   var body = string.replace(match[0], '')
   var line = computeLocation(match, string)
 

diff --git a/package.json b/package.json
@@ -37,6 +37,7 @@
     "Kai Davenport <kaiyadavenport@gmail.com> (https://github.com/binocarlos)",
     "Jean-Philippe Monette <contact@jpmonette.net> (https://github.com/jpmonette)",
     "Marc-André Arseneault <marc-andre@arsnl.ca> (https://github.com/arsnl)",
-    "Bret Comnes <bcomnes@gmail.com> (http://bret.io)"
+    "Bret Comnes <bcomnes@gmail.com> (http://bret.io)",
+    "Peter Bengtsson <mail@peterbe.com> (https://github.com/peterbe)"
   ]
 }
diff --git a/test/index.js b/test/index.js
@@ -101,6 +101,19 @@ test('fm(string) - string missing body', function (t) {
     })
 })
 
+test('fm(string) - insecure yaml', function (t) {
+  fs.readFile(
+    path.resolve(__dirname, '../examples/unsafe.md'),
+    'utf8',
+    function (err, data) {
+      t.error(err, 'read(...) should not error')
+      t.throws(() => {
+        fm(data)
+      }, /YAMLException/)
+      t.end()
+    })
+})
+
 test('fm(string) - wrapped test in yaml', function (t) {
   fs.readFile(
     path.resolve(__dirname, '../examples/wrapped-text.md'),
@@ -154,13 +167,13 @@ test('fm(string) - no front matter, markdown with hr', function (t) {
     })
 })
 
-test('fm(string) - complex yaml', function (t) {
+test('fm(string, true) - complex yaml', function (t) {
   fs.readFile(
     path.resolve(__dirname, '../examples/complex-yaml.md'),
     'utf8',
     function (err, data) {
       t.error(err, 'read(...) should not error')
-      var content = fm(data)
+      var content = fm(data, true)
       t.ok(content.attributes, 'should have `attributes` key')
       t.equal(content.attributes.title, 'This is a title!')
       t.equal(content.attributes.contact, null)