Sha256: abbfd05e5cb2ea5e810552fe407482629f9c286e4b34b77e257a28c399494be4
Contents?: true
Size: 1.58 KB
Versions: 9
Compression:
Stored size: 1.58 KB
Contents
# frozen_string_literal: true
module RuboCop
module Cop
module Security
# This cop checks for the use of YAML class methods which have
# potential security issues leading to remote code execution when
# loading from an untrusted source.
#
# NOTE: Ruby 3.1+ (Psych 4) uses `Psych.load` as `Psych.safe_load` by default.
#
# @safety
# The behaviour of the code might change depending on what was
# in the YAML payload, since `YAML.safe_load` is more restrictive.
#
# @example
# # bad
# YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default
#
# # good
# YAML.safe_load("--- !ruby/object:Foo {}", [Foo]) # Ruby 2.5 (Psych 3)
# YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
# YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
# YAML.dump(foo)
#
class YAMLLoad < Base
extend AutoCorrector
MSG = 'Prefer using `YAML.safe_load` over `YAML.load`.'
RESTRICT_ON_SEND = %i[load].freeze
# @!method yaml_load(node)
def_node_matcher :yaml_load, <<~PATTERN
(send (const {nil? cbase} :YAML) :load ...)
PATTERN
def on_send(node)
return if target_ruby_version >= 3.1
yaml_load(node) do
add_offense(node.loc.selector) do |corrector|
corrector.replace(node.loc.selector, 'safe_load')
end
end
end
end
end
end
end
Version data entries
9 entries across 9 versions & 3 rubygems