Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New rubocop security checks #5768

Merged
merged 2 commits into from Jan 16, 2017
Merged

New rubocop security checks #5768

merged 2 commits into from Jan 16, 2017

Conversation

DirtyF
Copy link
Member

@DirtyF DirtyF commented Jan 16, 2017
edited

Rubocop 47 adds new security cops that trigger warnings to Jekyll's code:

  1. Avoid using of Marshal.load or Marshal.restore due to potential security issues.

Q: There is no autocorrect for this cop. Should we ignore this for now or use Marshal.dump or another method?

  1. Prefer usage of YAML.safe_load over YAML.load due to potential security issues.
features/step_definitions.rb:103:22: C: Security/YAMLLoad: Prefer using YAML.safe_load over YAML.load.
  config[key] = YAML.load(value)
                     ^^^^
test/test_configuration.rb:320:31: C: Security/YAMLLoad: Prefer using YAML.safe_load over YAML.load.
      assert_equal :foo, YAML.load(":foo")

Q: Rubocop autocorrect will replace YAML.load with YAML.safe_load but that does trigger a failed test.

Error:
TestConfiguration#test_: loading configuration should not clobber YAML.load to the dismay of other libraries. :
Psych::DisallowedClass: Tried to load unspecified class: Symbol

This PR adds configuration rules to ignore these rules for the concerned files for now, any insight welcome for the best way to handle these security warnings.

/cc @jekyll/core

@DirtyF DirtyF added the tests label Jan 16, 2017
parkr
parkr approved these changes Jan 16, 2017
View reviewed changes
Copy link
Member

@parkr parkr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's fix these up. I use Marshal.load in one test helper to ensure I'm allocated a new object (for config defaults) and I think it's used to load the .jekyll-metadata file. We should really use msgpack for the .jekyll-metadata file and we could probably use it for the tests, too.

Safe to ignore YAML.load calls in the tests going forward.

@parkr
Copy link
Member

parkr commented Jan 16, 2017

@jekyllbot: merge +dev

@jekyllbot jekyllbot merged commit 750fb32 into jekyll:master Jan 16, 2017
jekyllbot added a commit that referenced this pull request Jan 16, 2017
@jekyllbot
Update history to reflect merge of #5768 [ci skip]
9d70bbb
@DirtyF DirtyF deleted the rubocop-47 branch January 16, 2017 22:14
@jekyll jekyll locked and limited conversation to collaborators Jul 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@parkr parkr parkr approved these changes

Assignees
No one assigned
Labels
fix frozen-due-to-age internal tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@DirtyF @parkr @jekyllbot