Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
New rubocop security checks #5768
Rubocop 47 adds new security cops that trigger warnings to Jekyll's code:
Q: There is no autocorrect for this cop. Should we ignore this for now or use
features/step_definitions.rb:103:22: C: Security/YAMLLoad: Prefer using YAML.safe_load over YAML.load. config[key] = YAML.load(value) ^^^^ test/test_configuration.rb:320:31: C: Security/YAMLLoad: Prefer using YAML.safe_load over YAML.load. assert_equal :foo, YAML.load(":foo")
Q: Rubocop autocorrect will replace
Error: TestConfiguration#test_: loading configuration should not clobber YAML.load to the dismay of other libraries. : Psych::DisallowedClass: Tried to load unspecified class: Symbol
This PR adds configuration rules to ignore these rules for the concerned files for now, any insight welcome for the best way to handle these security warnings.
Let's fix these up. I use
Marshal.load in one test helper to ensure I'm allocated a new object (for config defaults) and I think it's used to load the
.jekyll-metadata file. We should really use msgpack for the
.jekyll-metadata file and we could probably use it for the tests, too.
Safe to ignore YAML.load calls in the tests going forward.