xxq250
/
probot
forked from mirrors/probot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use safeLoad for untrusted yaml

This commit is contained in:
Brandon Keepers 2017-07-27 10:04:59 -05:00
parent b70e6af7b1
commit 81694fa5cd
No known key found for this signature in database
GPG Key ID: F9533396D5FACBF6
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/context.js
View File

@ -72,7 +72,7 @@ class Context {
async config(fileName) {
const params = this.repo({path: path.join('.github', fileName)});
const data = await this.github.repos.getContent(params);
return yaml.load(Buffer.from(data.content, 'base64').toString()) || {};
return yaml.safeLoad(Buffer.from(data.content, 'base64').toString()) || {};
}
}

16
test/context.js
View File

@ -137,6 +137,22 @@ describe('Context', function () {
expect(e.message).toMatch(/^end of the stream or a document separator/);
});
it('throws when loading unsafe yaml', async function () {
github.repos.getContent.andReturn(readConfig('evil.yml'));
let e;
let config;
try {
config = await context.config('evil.yml');
} catch (err) {
e = err;
}
expect(config).toNotExist();
expect(e).toExist();
expect(e.message).toMatch(/unknown tag/);
});
it('returns an empty object when the file is empty', async function () {
github.repos.getContent.andReturn(readConfig('empty.yml'));