Skip to content

Commit

Permalink
Fixes #36219 - use YAML.safe_load instead of YAML.load
Browse files Browse the repository at this point in the history 
as explained in this rubocop rule https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/YAMLLoad
  • Loading branch information
@Ron-Lavi @ekohl
Ron-Lavi authored and ekohl committed Jul 13, 2023
1 parent ed61577 commit c9b82a5
Show file tree
Hide file tree
Showing 9 changed files with 12 additions and 12 deletions.
2 changes: 1 addition & 1 deletion app/models/compute_resources/foreman/model/vmware.rb
View file
Expand Up @@ -804,7 +804,7 @@ def build_vmrc_uri(host, vmid, ticket)
end

def valid_cloudinit_for_customspec?(cloudinit)
parsed = YAML.load(cloudinit)
parsed = YAML.safe_load(cloudinit)
return false if parsed.nil?
return true if parsed.is_a?(Hash)
raise Foreman::Exception.new('The user-data template must be a hash in YAML format for VM customization to work.')
Expand Down
2 changes: 1 addition & 1 deletion app/models/lookup_keys/lookup_key.rb
View file
Expand Up @@ -177,7 +177,7 @@ def load_yaml_or_json(value)
begin
JSON.load value
rescue
YAML.load value
YAML.safe_load(value, permitted_classes: [Symbol])
end
end

Expand Down
2 changes: 1 addition & 1 deletion app/models/report.rb
View file
Expand Up @@ -62,7 +62,7 @@ def self.inherited(child)
# extracts serialized metrics and keep them as a hash_with_indifferent_access
def metrics
return {} if self[:metrics].nil?
YAML.load(read_metrics).with_indifferent_access
YAML.safe_load(read_metrics).with_indifferent_access
end

# serialize metrics as YAML
Expand Down
4 changes: 2 additions & 2 deletions app/models/setting.rb
View file
Expand Up @@ -105,7 +105,7 @@ def value=(v)
def value
v = self[:value]
v = decrypt_field(v)
v.nil? ? default : YAML.load(v)
v.nil? ? default : YAML.safe_load(v, permitted_classes: [Symbol, Pathname])
end
alias_method :value_before_type_cast, :value

Expand All @@ -130,7 +130,7 @@ def parse_string_value(val)
when "array"
if val =~ /\A\[.*\]\Z/
begin
self.value = YAML.load(val.gsub(/(\,)(\S)/, "\\1 \\2"))
self.value = YAML.safe_load(val.gsub(/(\,)(\S)/, "\\1 \\2"))
rescue => e
invalid_value_error e.to_s
end
Expand Down
2 changes: 1 addition & 1 deletion app/services/foreman/importer_puppetclass.rb
View file
Expand Up @@ -29,7 +29,7 @@ def self.suggest_key_type(value, default = nil, detect_json_or_yaml = false)
begin
return "json" if JSON.load value
rescue
return "yaml" if YAML.load value
return "yaml" if YAML.safe_load value
end
end
"string"
Expand Down
4 changes: 2 additions & 2 deletions app/services/foreman/parameters/caster.rb
View file
Expand Up @@ -107,13 +107,13 @@ def cast_json
end

def cast_yaml
YAML.load value
YAML.safe_load(value, permitted_classes: [Symbol])
end

def load_yaml_or_json
return value unless value.is_a? String
begin
YAML.load value
YAML.safe_load(value, permitted_classes: [Symbol])
rescue Psych::SyntaxError
JSON.load value
end
Expand Down
2 changes: 1 addition & 1 deletion lib/tasks/parameters.rake
View file
Expand Up @@ -24,7 +24,7 @@ namespace :parameters do
task :cast_key_types_and_values => :environment do
def override_key_type_and_value(param)
key_type_name = 'string'
value = YAML.load param.value
value = YAML.safe_load param.value
key_type_name = value.is_a?(Hash) ? 'yaml' : find_key_type(value)

# Avoid updating parameter with true/false when param.value
Expand Down
4 changes: 2 additions & 2 deletions lib/tasks/puppet.rake
View file
Expand Up @@ -15,7 +15,7 @@ namespace :puppet do
name = yaml.match(/.*\/(.*).yaml/)[1]
puts "Importing #{name}"
puppet_facts = File.read(yaml)
facts_stripped_of_class_names = YAML.load(puppet_facts.gsub(/\!ruby\/object.*$/, ''))
facts_stripped_of_class_names = YAML.safe_load(puppet_facts.gsub(/\!ruby\/object.*$/, ''))
User.as_anonymous_admin do
host = Host::Managed.import_host(facts_stripped_of_class_names['name'], 'puppet')
HostFactImporter.new(host).import_facts(facts_stripped_of_class_names['values'])
Expand Down Expand Up @@ -46,7 +46,7 @@ namespace :puppet do

Host.find_each do |host|
$stdout.print "processing #{host.name} "
nodeinfo = YAML.load `#{script} #{host.name}`
nodeinfo = YAML.safe_load `#{script} #{host.name}`
if nodeinfo.is_a?(Hash)
$stdout.puts "DONE" if host.importNode nodeinfo
else
Expand Down
2 changes: 1 addition & 1 deletion test/factories/reports_related.rb
View file
Expand Up @@ -3,7 +3,7 @@
host
reported_at { Time.now.utc }
status { 0 }
metrics { YAML.load("--- \n time: \n schedule: 0.00083\n service: 0.149739\n mailalias: 0.000283\n cron: 0.000419\n config_retrieval: 16.3637869358063\n package: 0.003989\n filebucket: 0.000171\n file: 0.007025\n exec: 0.000299\n resources: \n total: 33\n changes: {}\n events: \n total: 0") }
metrics { YAML.safe_load("--- \n time: \n schedule: 0.00083\n service: 0.149739\n mailalias: 0.000283\n cron: 0.000419\n config_retrieval: 16.3637869358063\n package: 0.003989\n filebucket: 0.000171\n file: 0.007025\n exec: 0.000299\n resources: \n total: 33\n changes: {}\n events: \n total: 0") }
type { 'ConfigReport' }
end

Expand Down

0 comments on commit c9b82a5

Please sign in to comment.