diff --git a/README.md b/README.md index fda896c..4e9fb24 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ And end up with an object like this: var fm = require('front-matter') ``` -## fm(string) +## fm(string, allowUnsafe = false) Return a `content` object with two properties: @@ -81,6 +81,9 @@ Return a `content` object with two properties: * `content.bodyBegin` contains the line number the body contents begins at * `content.frontmatter` contains the original yaml string contents +**NOTE:** By default `fm()` uses `ys-yaml`'s `safeLoad` unless you set the +optional second argument to true. + # fm.test(string) Check if a string contains a front matter header of "---" or "= yaml =". Primarily used internally but is useful outside of the module. diff --git a/examples/unsafe.md b/examples/unsafe.md new file mode 100644 index 0000000..ecf63de --- /dev/null +++ b/examples/unsafe.md @@ -0,0 +1,5 @@ +--- +"toString": ! "function (){very_evil_thing();}" +--- + +Hi there! diff --git a/index.js b/index.js index 7572fd6..244ad15 100644 --- a/index.js +++ b/index.js @@ -16,12 +16,12 @@ var regex = new RegExp(pattern, 'm') module.exports = extractor module.exports.test = test -function extractor (string) { +function extractor (string, allowUnsafe = false) { string = string || '' var lines = string.split(/(\r?\n)/) if (lines[0] && /= yaml =|---/.test(lines[0])) { - return parse(string) + return parse(string, allowUnsafe) } else { return { attributes: {}, @@ -47,7 +47,7 @@ function computeLocation (match, body) { return line } -function parse (string) { +function parse (string, allowUnsafe) { var match = regex.exec(string) if (!match) { return { @@ -57,8 +57,9 @@ function parse (string) { } } + var loader = allowUnsafe ? parser.load : parser.safeLoad var yaml = match[match.length - 1].replace(/^\s+|\s+$/g, '') - var attributes = parser.load(yaml) || {} + var attributes = loader(yaml) || {} var body = string.replace(match[0], '') var line = computeLocation(match, string) diff --git a/package.json b/package.json index b1988a4..f31e586 100644 --- a/package.json +++ b/package.json @@ -40,6 +40,7 @@ "Kai Davenport (https://github.com/binocarlos)", "Jean-Philippe Monette (https://github.com/jpmonette)", "Marc-André Arseneault (https://github.com/arsnl)", - "Bret Comnes (http://bret.io)" + "Bret Comnes (http://bret.io)", + "Peter Bengtsson (https://github.com/peterbe)" ] } diff --git a/test/index.js b/test/index.js index 75e0950..2d35387 100644 --- a/test/index.js +++ b/test/index.js @@ -101,6 +101,19 @@ test('fm(string) - string missing body', function (t) { }) }) +test('fm(string) - insecure yaml', function (t) { + fs.readFile( + path.resolve(__dirname, '../examples/unsafe.md'), + 'utf8', + function (err, data) { + t.error(err, 'read(...) should not error') + t.throws(() => { + fm(data) + }, /YAMLException/) + t.end() + }) +}) + test('fm(string) - wrapped test in yaml', function (t) { fs.readFile( path.resolve(__dirname, '../examples/wrapped-text.md'), @@ -154,13 +167,13 @@ test('fm(string) - no front matter, markdown with hr', function (t) { }) }) -test('fm(string) - complex yaml', function (t) { +test('fm(string, true) - complex yaml', function (t) { fs.readFile( path.resolve(__dirname, '../examples/complex-yaml.md'), 'utf8', function (err, data) { t.error(err, 'read(...) should not error') - var content = fm(data) + var content = fm(data, true) t.ok(content.attributes, 'should have `attributes` key') t.equal(content.attributes.title, 'This is a title!') t.equal(content.attributes.contact, null)