I reviewed ruby-safe-yaml version 0.9.3-1 from saucy. This should
not be considered a full security audit, but rather a quick gauge of
code cleanliness.
- ruby-safe-yaml provides callbacks used by the syck and psych
YAML-parsing engines to convert a tokenized yaml stream into Ruby
objects without blindly executing code in the objects, as previous
YAML parsers have done.
- build-depends on gem2deb, rake, ruby-rspec, ruby-hashie, ruby-indentation
- Does not do encryption
- Does not itself do networking
- Does not daemonize
- No init scripts, no dbus services, no setuid, no binaries, no sudo,
no cron jobs
- Nice test suite run during build
- No processes spawned
- No file writing; file reading is simple and duck-typed
- No environment variables used
- No privileged operations
- No cryptography
- No networking itself
- No temp files
- No WebKit or JS
Some code is a little obfuscated in the effort to provide identical API
interface to callers in Ruby 1.8 and Ruby 1.9 environments, when the
underlying YAML parser frameworks are different. Most of the code is
straight-forward and careful parsing code.
The test suite is comprehensive and includes positive and negative
tests.
Security team ACK for including in main.
Thanks
** Changed in: ruby-safe-yaml (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197896
Title:
[MIR] ruby-safe-yaml, ruby-hashie, ruby-indentation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby-hashie/+bug/1197896/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
