config_loader.rb in rubocop-1.66.1

- old
+ new

@@ -65,12 +65,12 @@
       end
 
       def load_yaml_configuration(absolute_path)
         file_contents = read_file(absolute_path)
         yaml_code = Dir.chdir(File.dirname(absolute_path)) { ERB.new(file_contents).result }
-        check_duplication(yaml_code, absolute_path)
-        hash = yaml_safe_load(yaml_code, absolute_path) || {}
+        yaml_tree = check_duplication(yaml_code, absolute_path)
+        hash = yaml_tree_to_hash(yaml_tree) || {}
 
         puts "configuration from #{absolute_path}" if debug?
 
         raise(TypeError, "Malformed configuration in #{absolute_path}") unless hash.is_a?(Hash)
 
@@ -233,23 +233,29 @@
         File.read(absolute_path, encoding: Encoding::UTF_8)
       rescue Errno::ENOENT
         raise ConfigNotFoundError, "Configuration file not found: #{absolute_path}"
       end
 
-      def yaml_safe_load(yaml_code, filename)
-        yaml_safe_load!(yaml_code, filename)
+      def yaml_tree_to_hash(yaml_tree)
+        yaml_tree_to_hash!(yaml_tree)
       rescue ::StandardError
         if defined?(::SafeYAML)
           raise 'SafeYAML is unmaintained, no longer needed and should be removed'
         end
 
         raise
       end
 
-      def yaml_safe_load!(yaml_code, filename)
-        YAML.safe_load(
-          yaml_code, permitted_classes: [Regexp, Symbol], aliases: true, filename: filename
-        )
+      def yaml_tree_to_hash!(yaml_tree)
+        return nil unless yaml_tree
+
+        # Optimization: Because we checked for duplicate keys, we already have the
+        # yaml tree and don't need to parse it again.
+        # Also see https://github.com/ruby/psych/blob/v5.1.2/lib/psych.rb#L322-L336
+        class_loader = YAML::ClassLoader::Restricted.new(%w[Regexp Symbol], [])
+        scanner = YAML::ScalarScanner.new(class_loader)
+        visitor = YAML::Visitors::ToRuby.new(scanner, class_loader)
+        visitor.accept(yaml_tree)
       end
     end
 
     # Initializing class ivars
     clear_options