lib/rails/auth/acl.rb in rails-auth-3.1.0 vs lib/rails/auth/acl.rb in rails-auth-3.2.0

@@ -17,12 +17,17 @@
       # Create a Rails::Auth::ACL from a YAML representation of an ACL
       #
       # @param [String] :yaml serialized YAML to load an ACL from
       def self.from_yaml(yaml, **args)
         require "yaml"
-        # rubocop:todo Security/YAMLLoad
-        new(YAML.load(yaml), **args)
-        # rubocop:enable Security/YAMLLoad
+        new(
+          if YAML::VERSION >= "4.0"
+            YAML.safe_load(yaml, aliases: true)
+          else
+            YAML.safe_load(yaml, [], [], true)
+          end,
+          **args
+        )
       end
 
       # @param [Array<Hash>] :acl Access Control List configuration
       # @param [Hash] :matchers authorizers use with this ACL
       #