New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New rubocop security checks #5768

Merged
merged 2 commits into from Jan 16, 2017

Conversation

Projects
None yet
3 participants
@DirtyF
Member

DirtyF commented Jan 16, 2017

Rubocop 47 adds new security cops that trigger warnings to Jekyll's code:

  1. Avoid using of Marshal.load or Marshal.restore due to potential security issues.

Q: There is no autocorrect for this cop. Should we ignore this for now or use Marshal.dump or another method?

  1. Prefer usage of YAML.safe_load over YAML.load due to potential security issues.
features/step_definitions.rb:103:22: C: Security/YAMLLoad: Prefer using YAML.safe_load over YAML.load.
  config[key] = YAML.load(value)
                     ^^^^
test/test_configuration.rb:320:31: C: Security/YAMLLoad: Prefer using YAML.safe_load over YAML.load.
      assert_equal :foo, YAML.load(":foo")

Q: Rubocop autocorrect will replaceYAML.load with YAML.safe_load but that does trigger a failed test.

Error:
TestConfiguration#test_: loading configuration should not clobber YAML.load to the dismay of other libraries. :
Psych::DisallowedClass: Tried to load unspecified class: Symbol

This PR adds configuration rules to ignore these rules for the concerned files for now, any insight welcome for the best way to handle these security warnings.

/cc @jekyll/core

@DirtyF DirtyF added the tests label Jan 16, 2017

@parkr

parkr approved these changes Jan 16, 2017

Let's fix these up. I use Marshal.load in one test helper to ensure I'm allocated a new object (for config defaults) and I think it's used to load the .jekyll-metadata file. We should really use msgpack for the .jekyll-metadata file and we could probably use it for the tests, too.

Safe to ignore YAML.load calls in the tests going forward.

@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Jan 16, 2017

Member

@jekyllbot: merge +dev

Member

parkr commented Jan 16, 2017

@jekyllbot: merge +dev

@jekyllbot jekyllbot merged commit 750fb32 into jekyll:master Jan 16, 2017

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jekyllbot added a commit that referenced this pull request Jan 16, 2017

@DirtyF DirtyF deleted the DirtyF:rubocop-47 branch Jan 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment