[Bug 1197896] Re: [MIR] ruby-safe-yaml, ruby-hashie, ruby-indentation
Seth Arnold
1197896 at bugs.launchpad.net
Thu Aug 8 00:03:50 UTC 2013
I reviewed ruby-safe-yaml version 0.9.3-1 from saucy. This should
not be considered a full security audit, but rather a quick gauge of
code cleanliness.
- ruby-safe-yaml provides callbacks used by the syck and psych
YAML-parsing engines to convert a tokenized yaml stream into Ruby
objects without blindly executing code in the objects, as previous
YAML parsers have done.
- build-depends on gem2deb, rake, ruby-rspec, ruby-hashie, ruby-indentation
- Does not do encryption
- Does not itself do networking
- Does not daemonize
- No init scripts, no dbus services, no setuid, no binaries, no sudo,
no cron jobs
- Nice test suite run during build
- No processes spawned
- No file writing; file reading is simple and duck-typed
- No environment variables used
- No privileged operations
- No cryptography
- No networking itself
- No temp files
- No WebKit or JS
Some code is a little obfuscated in the effort to provide identical API
interface to callers in Ruby 1.8 and Ruby 1.9 environments, when the
underlying YAML parser frameworks are different. Most of the code is
straight-forward and careful parsing code.
The test suite is comprehensive and includes positive and negative
tests.
Security team ACK for including in main.
Thanks
** Changed in: ruby-safe-yaml (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ruby-safe-yaml in Ubuntu.
https://bugs.launchpad.net/bugs/1197896
Title:
[MIR] ruby-safe-yaml, ruby-hashie, ruby-indentation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby-hashie/+bug/1197896/+subscriptions
More information about the Ubuntu-server-bugs
mailing list