Age | Commit message (Collapse) | Author | |
---|---|---|---|
2021-05-13 | Use Psych.safe_load by default | Aaron Patterson | |
Psych.load is not safe for use with untrusted data. Too many applications make the mistake of using `Psych.load` with untrusted data and that ends up with some kind of security vulnerability. This commit changes the default `Psych.load` to use `safe_load`. Users that want to parse trusted data can use Psych.unsafe_load. | |||
2021-05-13 | Merge pull request #488 from ruby/add-unsafe | Aaron Patterson | |
Introduce `Psych.unsafe_load` | |||
2021-05-13 | Introduce `Psych.unsafe_load` | Aaron Patterson | |
In future versions of Psych, the `load` method will be mostly the same as the `safe_load` method. In other words, the `load` method won't allow arbitrary object deserialization (which can be used to escalate to an RCE). People that need to load *trusted* documents can use the `unsafe_load` method. This commit introduces the `unsafe_load` method so that people can incrementally upgrade. For example, if they try to upgrade to 4.0.0 and something breaks, they can downgrade, audit callsites, change to `safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0 smoothly. | |||
2021-05-10 | Merge pull request #475 from whitehat101/feature/dynamic-scalar-seq-style | Aaron Patterson | |
feat: allow scalars and sequences to be styled when dumped | |||
2021-05-10 | Merge pull request #480 from Shopify/symbolize-name-non-string-keys | Hiroshi SHIBATA | |
Fix symbolize_name with non-string keys | |||
2021-05-10 | Text files should end with a newline | Nobuyoshi Nakada | |
2021-05-10 | Fix -Wundef warnings for patterns `#if HAVE` | Benoit Daloze | |
* See [Feature #17752] * Using this to detect them: git grep -P 'if\s+HAVE' | grep -Pv 'HAVE_LONG_LONG|/ChangeLog|HAVE_TYPEOF' | |||
2021-05-10 | Use assert_raise instead of assert_raises | Hiroshi SHIBATA | |
2021-05-10 | Merge pull request #486 from ruby/avoid-yaml-float-conversion | Hiroshi SHIBATA | |
CI - YAML: Avoid 3.0 -> "3" conversion | |||
2021-05-10 | CI - YAML: Avoid 3.0 -> "3" conversion | Olle Jonsson | |
2021-05-10 | Merge pull request #485 from ruby/test-unit | Hiroshi SHIBATA | |
Use test-unit instead of minitest | |||
2021-05-10 | Removed needless platform detection | Hiroshi SHIBATA | |
2021-05-10 | Import test assertions from ruby/ruby | Hiroshi SHIBATA | |
2021-05-10 | Added 3.0 to GitHub ACtions | Hiroshi SHIBATA | |
2021-05-10 | Use pend instead of skip | Hiroshi SHIBATA | |
2021-05-10 | Fixed test-case for NaN | Hiroshi SHIBATA | |
2021-05-10 | Use Ractor constant for ignoreing condition | Hiroshi SHIBATA | |
2021-05-10 | Use test-unit instead of minitest | Hiroshi SHIBATA | |
2021-04-26 | Merge pull request #484 from kamipo/fix_typos | Hiroshi SHIBATA | |
Fix some typos [ci skip] | |||
2021-04-26 | Fix some typos [ci skip] | Ryuta Kamizono | |
2021-02-25 | Fix symabolize_name with non-string keys | Jean Boussier | |
2021-02-24 | bump version | Aaron Patterson | |
2021-02-24 | Merge pull request #476 from Shopify/symbolize-name-ruby-object | Aaron Patterson | |
Fix custom marshalization with symbolize_names: true | |||
2021-02-23 | Update to latest SnakeYAML | Charles Oliver Nutter | |
Fixes jruby/jruby#6365 | |||
2021-02-15 | Fix custom marshalization with symbolize_names: true | Jean Boussier | |
2021-02-07 | feat: allow scalars and sequences to be styled when dumped | Jeremy Ebler | |
2021-02-06 | Merge pull request #470 from timgates42/bugfix_typo_expressed | Hiroshi SHIBATA | |
docs: fix simple typo, expessed -> expressed | |||
2021-01-30 | Merge pull request #474 from Shopify/cache-load-types-in-to-ruby | Marc-André Lafortune | |
Avoid repeated access to Ractor.current | |||
2021-01-30 | Cache dispatch cache in an instance variable | Jean Boussier | |
2021-01-30 | Cache access to Psych.load_tags in Visitor::ToRuby | Jean Boussier | |
2020-12-23 | Bump version to 3.3.0 | Hiroshi SHIBATA | |
2020-12-23 | Merge pull request #471 from ruby/ractor | Hiroshi SHIBATA | |
Ractor support | |||
2020-12-23 | Skip test_ractor.rb with ruby/psych repo | Hiroshi SHIBATA | |
Because ruby/psych still uses minitest. minitest didn't support assert_ractor provided by test suite of ruby/ruby repo. | |||
2020-12-23 | [ruby/psych] Optimize cache with `compare_by_identity` | Marc-Andre Lafortune | |
Using `compare_by_identity` gives a 4x performance boost on cache hits. Benchmark in https://github.com/JuanitoFatas/fast-ruby/issues/189 | |||
2020-12-23 | [ruby/psych] Make Ractor-ready. | Marc-Andre Lafortune | |
Config is Ractor-local. Benchmarking reveals that using `Ractor.local_storage` for storing cache is similar to accessing a constant (~15% slower). | |||
2020-12-23 | [ruby/psych] Don't use instance variables directly for config | Marc-Andre Lafortune | |
2020-12-23 | [ruby/psych] Avoid methods depending on bindings | Marc-Andre Lafortune | |
Improves Ractor-readiness. | |||
2020-12-23 | [ruby/psych] Freeze constants. | Marc-Andre Lafortune | |
Improves Ractor-readiness. | |||
2020-12-21 | Strip trailing spaces [ci skip] | Nobuyoshi Nakada | |
2020-12-18 | docs: fix simple typo, expessed -> expressed | Tim Gates | |
There is a small typo in ext/psych/yaml/yaml.h. Should read `expressed` rather than `expessed`. | |||
2020-12-14 | Bump version to 3.2.1 | Hiroshi SHIBATA | |
2020-12-14 | Merge pull request #459 from tbrisker/patch-1 | Hiroshi SHIBATA | |
Remove unneeded assignment and condition | |||
2020-11-18 | Merge pull request #469 from marcandre/safety_first | Aaron Patterson | |
Add `Psych.safe_load_file`. Tweak doc to provide `safe_` examples. | |||
2020-11-12 | Add `Psych.safe_load_file`. Tweak doc to provide `safe_` examples. | Marc-Andre Lafortune | |
2020-09-25 | Removed nonsense `rubygems_version` in input gemspec files | Nobuyoshi Nakada | |
As it is ignored and set at building packages automatically, it is just nonsense to set in gemspec file for input. | |||
2020-09-10 | Merge pull request #463 from Shopify/load-file-options | Aaron Patterson | |
Forward keyword arguments in load_file and load_stream | |||
2020-09-10 | Forward keyword arguments in load_file and load_stream | Jean Boussier | |
2020-08-01 | Remove unneeded assignment and condition | Tomer Brisker | |
Since we already `return fallback` if `result` is falsy, we don't need to check again if it's truthy and reassign the `to_ruby` result. | |||
2020-07-18 | Bump version to 3.2.0 | Hiroshi SHIBATA | |
2020-07-16 | Merge pull request #458 from headius/remove_private_iv_get | Charles Oliver Nutter | |
Remove private_iv_get |