Merge branch 'peterbe-65-yamlsafeload'

Author: jxson

.travis.yml

@@ -5,8 +5,6 @@ node_js:
 - 10
 - 9
 - 8
-- 7
-- 6
 before_install:
 - npm install -g npm
 env:
@@ -20,10 +18,6 @@ env:
 script: make travis
 matrix:
   exclude:
-  - node_js: 6
-    env: TEST=browser
-  - node_js: 7
-    env: TEST=browser
   - node_js: 8
     env: TEST=browser
   - node_js: 9

README.md

@@ -72,7 +72,7 @@ And end up with an object like this:
 var fm = require('front-matter')
 ```
 
-## fm(string)
+## fm(string, { allowUnsafe: false })
 
 Return a `content` object with two properties:
 
@@ -81,6 +81,9 @@ Return a `content` object with two properties:
 * `content.bodyBegin` contains the line number the body contents begins at
 * `content.frontmatter` contains the original yaml string contents
 
+**NOTE:** By default `fm()` uses `ys-yaml`'s `safeLoad` unless you set
+`allowUnsafe` in the options object to true.
+
 # fm.test(string)
 
 Check if a string contains a front matter header of "---" or "= yaml =". Primarily used internally but is useful outside of the module.

examples/unsafe.md

@@ -0,0 +1,5 @@
+---
+"toString": !<tag:yaml.org,2002:js/function> "function (){very_evil_thing();}"
+---
+
+Hi there!

index.js

@@ -16,12 +16,14 @@ var regex = new RegExp(pattern, 'm')
 module.exports = extractor
 module.exports.test = test
 
-function extractor (string) {
+function extractor (string, options) {
   string = string || ''
-
+  var defaultOptions = { allowUnsafe: false }
+  options = options instanceof Object ? {...defaultOptions, ...options} : defaultOptions
+  options.allowunsafe = Boolean(options.allowUnsafe)
   var lines = string.split(/(\r?\n)/)
   if (lines[0] && /= yaml =|---/.test(lines[0])) {
-    return parse(string)
+    return parse(string, options.allowUnsafe)
   } else {
     return {
       attributes: {},
@@ -47,7 +49,7 @@ function computeLocation (match, body) {
   return line
 }
 
-function parse (string) {
+function parse (string, allowUnsafe) {
   var match = regex.exec(string)
   if (!match) {
     return {
@@ -57,8 +59,9 @@ function parse (string) {
     }
   }
 
+  var loader = allowUnsafe ? parser.load : parser.safeLoad
   var yaml = match[match.length - 1].replace(/^\s+|\s+$/g, '')
-  var attributes = parser.load(yaml) || {}
+  var attributes = loader(yaml) || {}
   var body = string.replace(match[0], '')
   var line = computeLocation(match, string)
 

package.json

@@ -40,6 +40,7 @@
     "Kai Davenport <kaiyadavenport@gmail.com> (https://github.com/binocarlos)",
     "Jean-Philippe Monette <contact@jpmonette.net> (https://github.com/jpmonette)",
     "Marc-André Arseneault <marc-andre@arsnl.ca> (https://github.com/arsnl)",
-    "Bret Comnes <bcomnes@gmail.com> (http://bret.io)"
+    "Bret Comnes <bcomnes@gmail.com> (http://bret.io)",
+    "Peter Bengtsson <mail@peterbe.com> (https://github.com/peterbe)"
   ]
 }

test/index.js

@@ -101,6 +101,19 @@ test('fm(string) - string missing body', function (t) {
     })
 })
 
+test('fm(string) - insecure yaml', function (t) {
+  fs.readFile(
+    path.resolve(__dirname, '../examples/unsafe.md'),
+    'utf8',
+    function (err, data) {
+      t.error(err, 'read(...) should not error')
+      t.throws(() => {
+        fm(data)
+      }, /YAMLException/)
+      t.end()
+    })
+})
+
 test('fm(string) - wrapped test in yaml', function (t) {
   fs.readFile(
     path.resolve(__dirname, '../examples/wrapped-text.md'),
@@ -154,13 +167,13 @@ test('fm(string) - no front matter, markdown with hr', function (t) {
     })
 })
 
-test('fm(string) - complex yaml', function (t) {
+test('fm(string, true) - complex and unsafe yaml', function (t) {
   fs.readFile(
     path.resolve(__dirname, '../examples/complex-yaml.md'),
     'utf8',
     function (err, data) {
       t.error(err, 'read(...) should not error')
-      var content = fm(data)
+      var content = fm(data, {allowUnsafe: true})
       t.ok(content.attributes, 'should have `attributes` key')
       t.equal(content.attributes.title, 'This is a title!')
       t.equal(content.attributes.contact, null)