Introduce Psych.unsafe_load
#488
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In future versions of Psych, the `load` method will be mostly the same as the `safe_load` method. In other words, the `load` method won't allow arbitrary object deserialization (which can be used to escalate to an RCE). People that need to load *trusted* documents can use the `unsafe_load` method. This commit introduces the `unsafe_load` method so that people can incrementally upgrade. For example, if they try to upgrade to 4.0.0 and something breaks, they can downgrade, audit callsites, change to `safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0 smoothly.
|
This change causes a major ripple effect. I am sure it had its reasons, but |
jrafanie
added a commit
to jrafanie/sprint_statistics
that referenced
this pull request
Jun 28, 2022
Psych added unsafe_load in 3.3.2+ here: ruby/psych#488 PR ManageIQ#66 depended on unsafe_load but it doesn't exist in 3.3.1 or earlier.
kevindew
added a commit
to alphagov/publishing-api
that referenced
this pull request
Jul 20, 2022
The previous implementation isn't compatible with Ruby 3.1 due to the upgrade of Psych (YAML library) to 4.0 [1] in stdlib and the change in `load_file`. A simpler way to replace this is to use the Rails built in method to load a config file. [1]: ruby/psych#488
krauselukas
added a commit
to krauselukas/json_refs
that referenced
this pull request
Apr 26, 2023
With ruby 3.1.0, psych version 4.0.0 got introduced. Starting psych version 4.0.0 the `load` method defaults to `safe_load`. See ruby/psych#487 See https://stdgems.org/psych/ This got introduced to prevent users from accidentally load yaml content from untrusted user input. But now breaks certain patterns, when using the gem. See https://bugs.ruby-lang.org/issues/17866 To still allow users to load trusted documents, the `unsafe_load` method got introduced. See ruby/psych#488 I added a ruby version check for backwards compatibility.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In future versions of Psych, the
loadmethod will be mostly the sameas the
safe_loadmethod. In other words, theloadmethod won'tallow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load trusted documents can use the
unsafe_loadmethod.This commit introduces the
unsafe_loadmethod so that people canincrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
safe_loadorunsafe_loadas required, and then upgrade to 4.0.0smoothly.