Consider using YAML.safe_load instead of YAML.load

square / rails-auth

Modular resource-based authentication and authorization for Rails/Rack

Apache License 2.0

291 stars 26 forks source link

Consider using YAML.safe_load instead of YAML.load #60

Closed mbyczkowski closed 1 month ago

mbyczkowski commented 4 years ago

When I was upgrading the version of rubocop in #53, I've temporarily disabled a cop in https://github.com/square/rails-auth/blob/803225fed67091673a45439c915aed9abfc6faaf/lib/rails/auth/acl.rb#L21-L24, because I wasn't 100% sure on the implications of this change. Nonetheless, this should be something that someone should look at.

mbyczkowski commented 4 years ago

I think YAML.safe_load(yaml, [], [], true) would probably work here. According to the documentation this particular invocation would allow for aliases in YAML files (the default for safe_load is to raise an exception in such a case).

nerdrew commented 1 month ago

Fixed in https://github.com/square/rails-auth/pull/75