[beerkg]

Hi, I released Shale, a Ruby gem that allows you to parse JSON, YAML and XML and convert it into Ruby data structures, as well as serialize your Ruby data model to JSON, YAML or XML.

Features:

- convert JSON, XML or YAML into Ruby data model

- serialize data model to JSON, XML or YAML

- generate JSON and XML Schema from Ruby models

- compile JSON Schema into Ruby models (compiling XML Schema is a work in progress)

A quick example so you can get a feel of it:

  require 'shale'

  class Address < Shale::Mapper
    attribute :street, Shale::Type::String
    attribute :city, Shale::Type::String
  end

  class Person < Shale::Mapper
    attribute :first_name, Shale::Type::String
    attribute :last_name, Shale::Type::String
    attribute :address, Address
  end

  # parse data and convert it into Ruby data model
  person = Person.from_json(<<~JSON) # or .from_xml / .from_yaml
  {
    "first_name": "John",
    "last_name": "Doe",
    "address": {
      "street": "Oxford Street",
      "city": "London"
    }
  }
  JSON

  # It will give you
  # =>
  #  #<Person:0xa0a4
  #    @address=#<Address:0xa0a6
  #      @city="London",
  #      @street="Oxford Street",
  #      @zip="E1 6AN">,
  #    @age=50,
  #    @first_name="John",
  #    @hobbies=["Singing", "Dancing"],
  #    @last_name="Doe",
  #    @married=false>

  # serialize Ruby data model to JSON
  Person.new(
    first_name: 'John',
    last_name: 'Doe',
    address: Address.new(street: 'Oxford Street', city: 'London')
  ).to_json # or .to_xml / .to_yaml

Source code is available on GitHub: https://github.com/kgiszczak/shale

[sam0x17]

Hey this is a very cool project! When you were developing it, I'm curious if you took any special security precautions in your design of this project, seeing how XML/JSON/YAML serialization and de-serialization are the topic of many high profile CVEs, particularly in the Ruby community?

[beerkg]

Shale uses Ruby's standard library parsers out of the box, so if you keep your Ruby up to date with security updates you will be good. Also others in this thread suggested to set minimal version on dependencies, so I'll probably do that in the future version.

[alipitch]

When using the shale gem, how would you avoid the mass assignment problem? Is there a configuration, or a way of using the shale gem to avoid it?

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug)

[DANK_YACHT]

This seems like programmer error. Don't put restricted fields into types you're deserializing off the wire. It's like accepting user input and directly inserting it into a database without any validation.

[beerkg]

If you don't define attributes explicitly on the model, Shale will ignore them.

Regarding attributes that you defined but still don't want to be assigned, you should probably filter them before passing them to Shale, or alternatively filter them with Shale before passing them further down the stack (e.g to ActiveRecord)

[danychok]

Just noticed when sharing the site link - the summary reads: Vue-powered Static Site Generator. A bit misleading.

<meta name="description" content="Vue-powered Static Site Generator">

Kudos for choosing Vue tho =)

[beerkg]

Documentation site was based on https://vuepress.vuejs.org/ but it evolved so much I dropped Vue all together and wen't with plain HTML instead. I must have left that meta tag from the early days.

Regarding Vue I use it daily at my job, great library :)

[WJW]

In the last example, where does it find the values for the `married`, `age`, `zip` and `hobbies` attributes? They are not present in the JSON string?

[beerkg]

Ah, I messed up the example, Person class definition should look like this:

  class Person < Shale::Mapper
    attribute :first_name, Shale::Type::String
    attribute :last_name, Shale::Type::String
    attribute :age, Shale::Type::Integer
    attribute :married, Shale::Type::Boolean, default: false
    attribute :hobbies, Shale::Type::String, collection: true
    attribute :address, Address
  end

And the JSON used for parsing also should contain those atttributes, like:

  {
    "first_name": "John",
    "last_name": "Doe",
    "age": 30,
    "married": false,
    "hobbies": ["Singing", "Dancing"],
    "address": {
      "street": "Oxford Street",
      "city": "London"
    }
  }