Handle malformed/unknown YAML Platform fields

Author: hsbt

lib/rubygems/yaml_serializer.rb

@@ -482,9 +482,22 @@ def build_version(node)
         Gem::Version.new((hash["version"] || hash["value"]).to_s)
       end
 
+      PLATFORM_FIELDS = %w[cpu os version].freeze
+
       def build_platform(node)
         hash = pairs_to_hash(node)
-        Gem::Platform.new([hash["cpu"], hash["os"], hash["version"]])
+        if (hash.keys & PLATFORM_FIELDS).any?
+          Gem::Platform.new([hash["cpu"], hash["os"], hash["version"]])
+        elsif hash["value"].is_a?(Array)
+          # Malformed platform (e.g. sequence instead of mapping).
+          # Return the raw value so yaml_initialize handles it like Psych does.
+          hash["value"]
+        else
+          # Unknown fields: set as instance variables like Psych's init_with
+          plat = Gem::Platform.allocate
+          hash.each {|k, v| plat.instance_variable_set(:"@#{k}", v) }
+          plat
+        end
       end
 
       def build_requirement(node)

test/rubygems/test_gem_safe_yaml.rb

@@ -923,6 +923,14 @@ def test_load_platform_from_cpu_os_version_fields
     assert_equal "darwin", plat.os
   end
 
+  def test_load_platform_malicious_sequence
+
+    yaml = "!ruby/object:Gem::Platform\n- \"x86-mswin32\\n system('id')#\"\n"
+    result = yaml_load(yaml, permitted_classes: Gem::SafeYAML::PERMITTED_CLASSES)
+    refute_kind_of Gem::Platform, result
+    assert_kind_of Array, result
+  end
+
   def test_load_dependency_missing_requirement_uses_default
 
     yaml = <<~YAML