psych icon indicating copy to clipboard operation
psych copied to clipboard
verified publisher icon ruby

Some strings that look like date/timestamps are not quoted when dumped

Open notEthan opened this issue 1 year ago • 0 comments

Timestamps for which Time.new raises an ArgumentError are not quoted by YAML.safe_dump (and YAML.dump - same result), leading to Psych::DisallowedClass when trying to load them.

A valid timestamp works fine and ends up a quoted string:

YAML.safe_dump("1990-12-31T15:59:60-23:00")
# => "--- '1990-12-31T15:59:60-23:00'\n"
YAML.safe_load(YAML.safe_dump("1990-12-31T15:59:60-23:00"))
# => "1990-12-31T15:59:60-23:00"

But a string that looks like a timestamp but is not valid ends up dumped unquoted, looking like a YAML timestamp which safe_load refuses:

# month 13 invalid
YAML.safe_dump("1990-13-31T15:59:60-23:00")
# => "--- 1990-13-31T15:59:60-23:00\n"

>> YAML.safe_load(YAML.safe_dump("1990-13-31T15:59:60-23:00"))
# .../gems/psych-5.1.2/lib/psych/class_loader.rb:99:in `find': Tried to load unspecified class: Time (Psych::DisallowedClass)
#   from .../gems/psych-5.1.2/lib/psych/class_loader.rb:28:in `load'
#   from .../gems/psych-5.1.2/lib/psych/scalar_scanner.rb:116:in `parse_time'
#   from .../gems/psych-5.1.2/lib/psych/scalar_scanner.rb:59:in `tokenize'
#   from .../gems/psych-5.1.2/lib/psych/visitors/to_ruby.rb:65:in `deserialize'
#   from .../gems/psych-5.1.2/lib/psych/visitors/to_ruby.rb:130:in `visit_Psych_Nodes_Scalar'
#   from .../gems/psych-5.1.2/lib/psych/visitors/visitor.rb:30:in `visit'
#   from .../gems/psych-5.1.2/lib/psych/visitors/visitor.rb:6:in `accept'
#   from .../gems/psych-5.1.2/lib/psych/visitors/to_ruby.rb:35:in `accept'
#   from .../gems/psych-5.1.2/lib/psych/visitors/to_ruby.rb:320:in `visit_Psych_Nodes_Document'
#   from .../gems/psych-5.1.2/lib/psych/visitors/visitor.rb:30:in `visit'
#   from .../gems/psych-5.1.2/lib/psych/visitors/visitor.rb:6:in `accept'
#   from .../gems/psych-5.1.2/lib/psych/visitors/to_ruby.rb:35:in `accept'
#   from .../gems/psych-5.1.2/lib/psych.rb:334:in `safe_load'

Likewise with a date:

# Feb 31 invalid
YAML.safe_dump("1990-02-31")
# => "--- 1990-02-31\n"

>> YAML.safe_load(YAML.safe_dump("1990-02-31"))
# ...gems/psych-5.1.2/lib/psych/class_loader.rb:99:in `find': Tried to load unspecified class: Date (Psych::DisallowedClass)

notEthan avatar Jul 15 '24 23:07 notEthan