Sha256: 65181388ee62591b48d12f422459c8ba7c1742714028d40c7df3ba09c05f9373
Contents?: true
Size: 997 Bytes
Versions: 20
Compression:
Stored size: 997 Bytes
Contents
# frozen_string_literal: true
module RuboCop
module Cop
module Security
# This cop checks for the use of YAML class methods which have
# potential security issues leading to remote code execution when
# loading from an untrusted source.
#
# @example
# # bad
# YAML.load("--- foo")
#
# # good
# YAML.safe_load("--- foo")
# YAML.dump("foo")
#
class YAMLLoad < Base
extend AutoCorrector
MSG = 'Prefer using `YAML.safe_load` over `YAML.load`.'
RESTRICT_ON_SEND = %i[load].freeze
# @!method yaml_load(node)
def_node_matcher :yaml_load, <<~PATTERN
(send (const {nil? cbase} :YAML) :load ...)
PATTERN
def on_send(node)
yaml_load(node) do
add_offense(node.loc.selector) do |corrector|
corrector.replace(node.loc.selector, 'safe_load')
end
end
end
end
end
end
end
Version data entries
20 entries across 20 versions & 3 rubygems