dtao / safe_yaml

Parse YAML safely
MIT License
217 stars 63 forks source link

Called 'load' without the :safe option -- defaulting to safe mode. #45

Closed AlJohri closed 11 years ago

AlJohri commented 11 years ago

Currently using safe_yaml 0.9.5. I wasn't seeing this in 0.9.4 (now yanked). What information can I give to help debug the issue?

dtao commented 11 years ago

It must be a coincidence that you didn't see this in 0.9.4 since the only difference between 0.9.4 and 0.9.5 is a change in file permissions (i.e., no actual code changes).

SafeYAML overrides YAML.load to take an additional options hash, which can include a :safe parameter. It also allows you to specify a global default by setting SafeYAML::OPTIONS[:default_mode] = :safe.

The warning is letting you know that you're calling YAML.load with ambiguous intent, because you haven't passed the :safe option and you haven't explicitly specified what you want the default behavior to be. It isn't necessarily anything to be alarmed about; as a conservative guess, SafeYAML will go with :safe by default (as the warning indicates).

The easiest way to get rid of the warning—assuming you are fine with :safe being the default mode—is to set the :default_mode option explicitly before calling YAML.load in your code:

require 'safe_yaml'

# Do this before loading any YAML
SafeYAML::OPTIONS[:default_mode] = :safe

# Now have fun loading all the YAML you want, without warnings
YAML.load('blah blah blah')
dtao commented 11 years ago

Also, FYI, 0.9.4 isn't yanked anymore.

AlJohri commented 11 years ago

Would these two options clash in any way?

config/initializers/ safe_yaml.rb

require 'safe_yaml'

SafeYAML::OPTIONS[:deserialize_symbols] = true SafeYAML::OPTIONS[:default_mode] = :safe

I see now that these are the two base options for configuration, sorry for not reading that earlier. https://github.com/dtao/safe_yaml#configuration

dtao commented 11 years ago

No problem—enough people have raised this issue before that I realize I should make the warning more informative (possibly with the link you just referenced). I will do so in the next version, whenever that is.

And those options should be perfectly compatible. By default, YAML.load will not deserialize arbitrary objects (that's what :safe mode does), but will deserialize symbols. Just be aware of the potential DOS attack vulnerability that may introduce (if you call YAML.load on user-supplied input).

deepakmahakale commented 4 years ago

I am setting this config in an initializer but I can still see the warning on my console.