Fixes Alias parsing was not enabled issue while loading Psych Lib in …

…safe_load (#9759) * Fixes Alias parsing was not enabled issue while loading Psych Lib in safe_load
dependabot · May 20, 2024 · 3ed63ea · 3ed63ea
1 parent fd4a4a2
commit 3ed63ea
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/pub/lib/dependabot/pub/update_checker.rb b/pub/lib/dependabot/pub/update_checker.rb
@@ -168,7 +168,7 @@ def resolve_requirements_update_strategy
           # go for RequirementsUpdateStrategy::BumpVersions.
           pubspec = T.must(dependency_files.find { |d| d.name == "pubspec.yaml" })
           begin
-            parsed_pubspec = YAML.safe_load(T.must(pubspec.content), aliases: false)
+            parsed_pubspec = YAML.safe_load(T.must(pubspec.content), aliases: true)
           rescue ScriptError
             return RequirementsUpdateStrategy::BumpVersions
           end

diff --git a/pub/spec/dependabot/pub/update_checker_spec.rb b/pub/spec/dependabot/pub/update_checker_spec.rb
@@ -791,4 +791,27 @@
       ]
     end
   end
+
+  context "loads a YAML file with alias" do
+    fixture = "spec/fixtures/projects/yaml_alias/"
+    alias_info_file = "pubspec_alias_true.yaml"
+    non_alias_info_file = "pubspec.yaml"
+    it "parses a alias contained YAML file with aliases: true" do
+      yaml_object = File.open(fixture + alias_info_file, "r")
+      data = yaml_object.read
+      expect { YAML.safe_load(data, aliases: true) }.not_to raise_error
+    end
+
+    it "parses a alias contained YAML file with aliases: false" do
+      yaml_object = File.open(fixture + alias_info_file, "r")
+      data = yaml_object.read
+      expect { YAML.safe_load(data, aliases: false) }.to raise_error(Psych::AliasesNotEnabled)
+    end
+
+    it "parses a no alias YAML file with aliases: true" do
+      yaml_object = File.open(fixture + non_alias_info_file, "r")
+      data = yaml_object.read
+      expect { YAML.safe_load(data, aliases: true) }.not_to raise_error
+    end
+  end
 end
diff --git a/pub/spec/fixtures/projects/yaml_alias/pubspec.yaml b/pub/spec/fixtures/projects/yaml_alias/pubspec.yaml
@@ -0,0 +1,9 @@
+name: dependabot_testcase
+environment:
+  sdk: '>=2.12.0 <3.0.0'
+dependencies:
+  collection: ^1.14.13 # Locked to 1.14.13, can update with no unlock.
+  retry: ^2.0.0 # Can update with updated constraint, no further constraints.
+  protobuf: 1.1.4 # Can update with updated constraint, only together with fixnum to 2.0.0 or with fixnum and collection to 2.1.0.
+  fixnum: 0.10.11
+  path: 1.8.0 # Already at latest
diff --git a/pub/spec/fixtures/projects/yaml_alias/pubspec_alias_true.yaml b/pub/spec/fixtures/projects/yaml_alias/pubspec_alias_true.yaml
@@ -0,0 +1,16 @@
+default: &default
+  var1: info
+  var2: var5
+  var3: 1
+
+var4:
+  <<: *default
+  dir: ls/var4.info
+
+var5:
+  <<: *default
+  dir: ls/var5.info
+
+var6:
+  <<: *default
+  dir: ls/var6.info