Skip to content
Permalink
Browse files

Patch against RCE

Use SafeYAML to prevent RCE.
  • Loading branch information...
ilpianista committed Mar 3, 2019
1 parent 6409679 commit bab6ecdb2cedac3f8d9dcfca33f4effb4abe73c9
Showing with 19 additions and 12 deletions.
  1. +2 −1 Gemfile
  2. +2 −0 Gemfile.lock
  3. +3 −2 builder
  4. +7 −6 src/base16_repository.rb
  5. +3 −2 src/scheme.rb
  6. +2 −1 src/template.rb
@@ -5,4 +5,5 @@ gem "mustache", "~> 1.0"
gem "slugify"
gem "chroma"
gem "thor"
gem "parallel"
gem "parallel"
gem "safe_yaml"
@@ -5,6 +5,7 @@ GEM
git (1.3.0)
mustache (1.0.3)
parallel (1.11.1)
safe_yaml (1.0.5)
slugify (1.0.7)
thor (0.19.4)

@@ -16,6 +17,7 @@ DEPENDENCIES
git
mustache (~> 1.0)
parallel
safe_yaml
slugify
thor

@@ -1,6 +1,7 @@
#!/usr/bin/env ruby
require "thor"
require "parallel"
require "safe_yaml"

Dir["src/*.rb"].each { |file| require_relative file }

@@ -24,8 +25,8 @@ class Builder < Thor
schemes_repo.update
templates_repo.update

schemes_list = YAML.load(File.read("sources/schemes/list.yaml"))
templates_list = YAML.load(File.read("sources/templates/list.yaml"))
schemes_list = YAML.load(File.read("sources/schemes/list.yaml"), :safe => true)
templates_list = YAML.load(File.read("sources/templates/list.yaml"), :safe => true)

Parallel.each(schemes_list, in_processes: PROCESS_COUNT) do |k, v|
repo = Base16Repository.new(path: "schemes", name: k, url: v)
@@ -1,4 +1,5 @@
require "git"
require "safe_yaml"

class Base16Repository

@@ -8,16 +9,16 @@ class Base16Repository
attr_accessor :repo_path

def self.repo_from_sources_yaml(key:)
yaml = YAML.load(File.read(@@sources_filename))
yaml = YAML.load(File.read(@@sources_filename), :safe => true)
url = yaml[key]

return nil unless url

repo = Base16Repository.new(path: @@sources_dir,
name: key,
url: url)
end

def self.schemes_repo
repo_from_sources_yaml(key: "schemes")
end
@@ -63,11 +64,11 @@ def is_template_list_repo?

def scheme_repo_urls
return nil unless exists? && is_scheme_list_repo?
YAML.load(File.read("#{@repo_path}/list.yaml"))
YAML.load(File.read("#{@repo_path}/list.yaml"), :safe => true)
end

def template_repo_urls
return nil unless exists? && is_template_list_repo?
YAML.load(File.read("#{@repo_path}/list.yaml"))
YAML.load(File.read("#{@repo_path}/list.yaml"), :safe => true)
end
end
end
@@ -1,4 +1,5 @@
require "slugify"
require "safe_yaml"

class Scheme

@@ -17,7 +18,7 @@ def self.load_schemes
end

def initialize(file_path:)
yaml = YAML.load(File.read(file_path))
yaml = YAML.load(File.read(file_path), :safe => true)
filename = File.basename(file_path, ".yaml")

@author = yaml["author"]
@@ -32,4 +33,4 @@ def initialize(file_path:)
@bases[key] = yaml[key]
end
end
end
end
@@ -1,5 +1,6 @@
require "mustache"
require "chroma"
require "safe_yaml"

class Template

@@ -16,7 +17,7 @@ def self.load_templates

def initialize(template_dir:, config_file:)
@template_dir = template_dir
@config = YAML.load(File.read(config_file))
@config = YAML.load(File.read(config_file), :safe => true)

end

0 comments on commit bab6ecd

Please sign in to comment.
You can’t perform that action at this time.