summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2021-06-07Bump version to 4.0.1Hiroshi SHIBATA
2021-05-21Merge pull request #495 from Shopify/safe-dumpHEADmasterAaron Patterson
Implement YAML.safe_dump to make safe_load more usable.
2021-05-19Implement YAML.safe_dump to make safe_load more usable.Jean Boussier
In case where Psych is used as a two way serializers, e.g. to serialize some cache or config, it is preferable to have the same restrictions on both load and dump. Otherwise you might dump and persist some objects payloads that you later won't be able to read.
2021-05-17Make YAML.load_file use YAML.load instead of safe_loadYusuke Endoh
YAML.load and YAML.safe_load are different a little; the former allows Symbol by default but the latter doesn't. So YAML.load_file and YAML.safe_load_file should reflect the difference. Fixes #490
2021-05-13remove deprecated interfaceAaron Patterson
2021-05-13Bump versionAaron Patterson
2021-05-13Use Psych.safe_load by defaultAaron Patterson
Psych.load is not safe for use with untrusted data. Too many applications make the mistake of using `Psych.load` with untrusted data and that ends up with some kind of security vulnerability. This commit changes the default `Psych.load` to use `safe_load`. Users that want to parse trusted data can use Psych.unsafe_load.
2021-05-13Introduce `Psych.unsafe_load`Aaron Patterson
In future versions of Psych, the `load` method will be mostly the same as the `safe_load` method. In other words, the `load` method won't allow arbitrary object deserialization (which can be used to escalate to an RCE). People that need to load *trusted* documents can use the `unsafe_load` method. This commit introduces the `unsafe_load` method so that people can incrementally upgrade. For example, if they try to upgrade to 4.0.0 and something breaks, they can downgrade, audit callsites, change to `safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0 smoothly.
2021-05-10Merge pull request #475 from whitehat101/feature/dynamic-scalar-seq-styleAaron Patterson
feat: allow scalars and sequences to be styled when dumped
2021-05-10Merge pull request #480 from Shopify/symbolize-name-non-string-keysHiroshi SHIBATA
Fix symbolize_name with non-string keys
2021-04-26Fix some typos [ci skip]Ryuta Kamizono
2021-02-25Fix symabolize_name with non-string keysJean Boussier
2021-02-24bump versionAaron Patterson
2021-02-24Merge pull request #476 from Shopify/symbolize-name-ruby-objectAaron Patterson
Fix custom marshalization with symbolize_names: true
2021-02-23Update to latest SnakeYAMLCharles Oliver Nutter
Fixes jruby/jruby#6365
2021-02-15Fix custom marshalization with symbolize_names: trueJean Boussier
2021-02-07feat: allow scalars and sequences to be styled when dumpedJeremy Ebler
2021-01-30Cache dispatch cache in an instance variableJean Boussier
2021-01-30Cache access to Psych.load_tags in Visitor::ToRubyJean Boussier
2020-12-23Bump version to 3.3.0Hiroshi SHIBATA
2020-12-23[ruby/psych] Optimize cache with `compare_by_identity`Marc-Andre Lafortune
Using `compare_by_identity` gives a 4x performance boost on cache hits. Benchmark in https://github.com/JuanitoFatas/fast-ruby/issues/189
2020-12-23[ruby/psych] Make Ractor-ready.Marc-Andre Lafortune
Config is Ractor-local. Benchmarking reveals that using `Ractor.local_storage` for storing cache is similar to accessing a constant (~15% slower).
2020-12-23[ruby/psych] Don't use instance variables directly for configMarc-Andre Lafortune
2020-12-23[ruby/psych] Avoid methods depending on bindingsMarc-Andre Lafortune
Improves Ractor-readiness.
2020-12-23[ruby/psych] Freeze constants.Marc-Andre Lafortune
Improves Ractor-readiness.
2020-12-14Bump version to 3.2.1Hiroshi SHIBATA
2020-12-14Merge pull request #459 from tbrisker/patch-1Hiroshi SHIBATA
Remove unneeded assignment and condition
2020-11-12Add `Psych.safe_load_file`. Tweak doc to provide `safe_` examples.Marc-Andre Lafortune
2020-09-10Forward keyword arguments in load_file and load_streamJean Boussier
2020-08-01Remove unneeded assignment and conditionTomer Brisker
Since we already `return fallback` if `result` is falsy, we don't need to check again if it's truthy and reassign the `to_ruby` result.
2020-07-18Bump version to 3.2.0Hiroshi SHIBATA
2020-07-16Remove private_iv_getCharles Oliver Nutter
The only remaining use of this function was to get the internal message object from an exception's hidden `mesg` instance variable to allow it to be dumped wiithout converting to a string. As discussed in #103, this exposes internal implementation details of CRuby, and ultimately does not provide any real utility to the user since they can't directly inspect this hidden variable. The test change here is to reflect CRuby behavior that denies equality if the internal message objects do not match, as is the case after the exception has been loaded and now has a simple String value. The impact to users is that exceptions with special hidden message objects will convert those objects to String during marshaling through YAML. I believe this only affects NameError and its descendants, since users can't set this field directly on their own exception types. Fixes #103.
2020-07-16Revert psych versionSzymonKowalczyk
2020-07-16Update SNAKEYAML CVE-2017-18640SzymonKowalczyk
to version 1.26
2020-06-08Fix anchor lookup with symbolized namesJean Boussier
2020-06-03Merge pull request #438 from mthorn/masterAaron Patterson
Fix ArgumentError with leading and trailing underscores in number str…
2020-03-17Remove unnecessary version guard from versions.rbDavid Rodríguez
Removing it triggers the following warnings when running `bundle` under jruby from the root of the `psych` repo prints the following warnings: ``` /path/to/jruby-9.2.9.0/lib/ruby/gems/shared/gems/psych-3.1.0-java/lib/psych/versions.rb:7: warning: already initialized constant VERSION /path/to//jruby-9.2.9.0/lib/ruby/gems/shared/gems/psych-3.1.0-java/lib/psych/versions.rb:10: warning: already initialized constant DEFAULT_SNAKEYAML_VERSION ``` This is because bundler loads the versions file relatively from the local gemspec, and then internally loads the psych gem, causing the redefinition warnings. Instead, we modify the $LOAD_PATH so that when working locally on the `psych` repo, the local version of `psych` gets used.
2020-03-03Fix ArgumentError with leading and trailing underscores in number strings.Mark Thorn
2019-11-28Implement `freeze` option for Pysch.loadJean Boussier
2019-11-28Implement a freeze load optionJean Boussier
2019-11-28Refactor `symbolize_names`Jean Boussier
2019-10-21Remove taint supportJeremy Evans
Ruby 2.7 deprecates taint and it no longer has an effect. The lack of taint support should not cause a problem in previous Ruby versions. I'm not sure if the untaint calls in deduplicate are still needed after the removal of tainting in the parser. If they are not needed, they should be removed.
2019-10-17Add a note about safe_loadAaron Patterson
2019-07-22Deduplicate hash keys if they're stringsJean Boussier
2019-07-21Drop to support fat gem support.Hiroshi SHIBATA
ref. https://github.com/ruby/bigdecimal/pull/149
2019-04-26Do not allocate a string to check if a scalar is an integerJean Boussier
2019-04-26Remove string_cache in ScalarScannerJean Boussier
2019-04-26Reduce string allocations in scalar_scannerJean Boussier
2019-01-16Dump Hash ivars before elementsAaron Patterson
When the Hash is revived, the ivars will be set before elements. This is for the case when the hash setter depends on ivars set on the hash.
2019-01-09Round trip exception backtracesAaron Patterson
This commit allows exception backtraces to round trip
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 16:40:38 +0000