Sha256: c80a4ed41064d1c8afb6b27a57dadaa254a902d5525726d0ed7bb6a8f829c573

Contents?: true

Size: 910 Bytes

Versions: 4

Compression:

Stored size: 910 Bytes

Contents

# frozen_string_literal: true

module RuboCop
  module Cop
    module Security
      # This cop checks for the use of YAML class methods which have
      # potential security issues leading to remote code execution when
      # loading from an untrusted source.
      #
      # @example
      #   # bad
      #   YAML.load("--- foo")
      #
      #   # good
      #   YAML.safe_load("--- foo")
      #   YAML.dump("foo")
      #
      class YAMLLoad < Cop
        MSG = 'Prefer using `YAML.safe_load` over `YAML.load`.'.freeze

        def_node_matcher :yaml_load, <<-END
          (send (const {nil cbase} :YAML) :load ...)
        END

        def on_send(node)
          yaml_load(node) do
            add_offense(node, :selector)
          end
        end

        def autocorrect(node)
          ->(corrector) { corrector.replace(node.loc.selector, 'safe_load') }
        end
      end
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version Path
rubocop-0.49.1 lib/rubocop/cop/security/yaml_load.rb
rubocop-0.49.0 lib/rubocop/cop/security/yaml_load.rb
rubocop-0.48.1 lib/rubocop/cop/security/yaml_load.rb
rubocop-0.48.0 lib/rubocop/cop/security/yaml_load.rb