| Age | Commit message (Collapse) | Author |
|---|
|
This version primarily updates the JRuby extension to use
SnakeYAML Engine, a newer version of the SnakeYAML library, which
also updates YAML support to 1.2. The JRuby extension now also
exposes settings for the parser.
https://github.com/ruby/psych/commit/6f2b16b343
|
|
See jruby/jruby#7570 for some of the justification for this move. We only
require the parser from SnakeYAML, but in the original form it is
encumbered with Java object serialization code that keeps getting
flagged as a CVE risk. We disagree with the assessment, at least
as it pertains to JRuby (we do not use the code in question) but
our inclusion of the library continues to get flagged by auditing
tools.
This commit starts the process of moving to the successor library,
SnakeYAML Engine. The parser API is largely unchanged, except as
seen in this commit. No Java exceptions are thrown, but a number
of Psych tests fail (possibly due to Engine being YAML 1.2 only).
|
|
all symbols
Ref: https://github.com/ruby/psych/pull/495
That's how it works for `safe_load`:
```ruby
>> YAML.safe_load(':foo', permitted_classes: [Symbol])
=> :foo
```
So `safe_dump` should mirror that.
https://github.com/ruby/psych/commit/592a75a656
|
|
https://github.com/ruby/psych/commit/a170b8eb46
|
|
https://github.com/ruby/psych/commit/67ec299c68
|
|
Things declared in anonymous eval are always annoying to locate.
https://github.com/ruby/psych/commit/38871ad4e5
|
|
https://github.com/ruby/psych/commit/bdf20e6042
|
|
https://github.com/ruby/psych/commit/4fed0941b9
|
|
https://github.com/ruby/psych/commit/8a761cdfb7
|
|
This commit just converts some of the parse method to Ruby
https://github.com/ruby/psych/commit/bca7d2c549
|
|
Resolves CVE-2022-25857, among other fixes.
https://github.com/ruby/psych/commit/918cd25d37
|
|
Fix ruby/psych#572
https://github.com/ruby/psych/commit/92304269bc
|
|
https://github.com/ruby/psych/commit/98fbd5247a
|
|
https://github.com/ruby/psych/commit/0c11ddcf46
|
|
https://github.com/ruby/psych/commit/c3b5183f42
|
|
3.1 gem install
https://github.com/ruby/psych/commit/2fa5e190b5
|
|
https://github.com/ruby/psych/commit/8533be8fe7
|
|
Authored-by: Seth Boyles <sethboyles@gmail.com>
https://github.com/ruby/psych/commit/75bebb37b8
|
|
https://github.com/ruby/psych/commit/39e23cc86f
|
|
It does not seem needed, and it's causing issues on Windows when
uninstalling `strscan`, because strscan's shared library being used when
RubyGems tries to remove it (because its loaded through Psych, which
RubyGems uses for loading configuration).
https://github.com/ruby/psych/commit/3911356ec1
|
|
https://github.com/ruby/psych/commit/75ab76e788
|
|
https://github.com/ruby/psych/commit/a0f55ee85a
|
|
https://github.com/ruby/psych/commit/69a713f860
|
|
https://github.com/ruby/psych/commit/8ec36494fb
|
|
'y' and 'n' are kind of ambiguous. Syck treated y and n literals in
YAML documents as strings. But this is not what the YAML 1.1 spec says.
YAML 1.1 says they should be treated as booleans. When we're dumping
documents, we know it's a string, so adding quotes will eliminate the
"ambiguity" in the emitted document
Fixes #443
https://github.com/ruby/psych/commit/6a1c30634e
|
|
https://github.com/ruby/psych/commit/64cc239557
Co-authored-by: Olle Jonsson <olle.jonsson@gmail.com>
|
|
https://github.com/ruby/psych/commit/8f71222bf3
|
|
https://github.com/ruby/psych/commit/e0bb853014
|
|
Previously, `+.inf` was not handled correctly. Additionally, the regexp
was checking for inf and NaN, even though these cases are handled earlier
in the condition. Added a few tests to ensure handling some missing
cases.
https://github.com/ruby/psych/commit/6e0e7a1e9f
|
|
LibYAML has moved from their previous Mercurial based hosting on BitBucket to a git repository on GitHub. This commit updates the `Psych` module's documentation to point to this new repository, instead of the old one which is now a 404.
https://github.com/ruby/psych/commit/947a84d0dd
|
|
https://github.com/ruby/psych/commit/4049939006
|
|
In case where Psych is used as a two way serializers,
e.g. to serialize some cache or config, it is preferable
to have the same restrictions on both load and dump.
Otherwise you might dump and persist some objects payloads
that you later won't be able to read.
https://github.com/ruby/psych/commit/441958396f
|
|
YAML.load and YAML.safe_load are different a little; the former allows
Symbol by default but the latter doesn't. So YAML.load_file and
YAML.safe_load_file should reflect the difference.
Fixes #490
https://github.com/ruby/psych/commit/f8a5e512a1
|
|
https://github.com/ruby/psych/commit/0767227051
|
|
https://github.com/ruby/psych/commit/1df86a2e81
|
|
Psych.load is not safe for use with untrusted data. Too many
applications make the mistake of using `Psych.load` with untrusted data
and that ends up with some kind of security vulnerability.
This commit changes the default `Psych.load` to use `safe_load`. Users
that want to parse trusted data can use Psych.unsafe_load.
https://github.com/ruby/psych/commit/176494297f
|
|
In future versions of Psych, the `load` method will be mostly the same
as the `safe_load` method. In other words, the `load` method won't
allow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load *trusted* documents can use the
`unsafe_load` method.
This commit introduces the `unsafe_load` method so that people can
incrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
`safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0
smoothly.
https://github.com/ruby/psych/commit/cb50aa8d3f
|
|
https://github.com/ruby/psych/commit/1c5c29e81f
|
|
https://github.com/ruby/psych/commit/546154ddb7
|
|
https://github.com/ruby/psych/commit/98617e55a1
|
|
https://github.com/ruby/psych/commit/091cd46b1f
|
|
Fixes jruby/jruby#6365
https://github.com/ruby/psych/commit/a88ff77f02
|
|
https://github.com/ruby/psych/commit/ee26f26ab5
|
|
https://github.com/ruby/psych/commit/285c461cd2
|
|
https://github.com/ruby/psych/commit/58223f0426
|
|
https://github.com/ruby/psych/commit/0abce07b90
|
|
Using `compare_by_identity` gives a 4x performance boost on cache hits.
Benchmark in https://github.com/JuanitoFatas/fast-ruby/issues/189
Notes:
Merged: https://github.com/ruby/ruby/pull/3953
|
|
Config is Ractor-local.
Benchmarking reveals that using `Ractor.local_storage` for storing cache
is similar to accessing a constant (~15% slower).
Notes:
Merged: https://github.com/ruby/ruby/pull/3953
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/3953
|
|
Improves Ractor-readiness.
Notes:
Merged: https://github.com/ruby/ruby/pull/3953
|
