yaml.safeLoad()

[peterbe]

yaml.load() is insecure and dangerous. (first google result)
We should be using yaml.safeLoad().

[peterbe]

I don't know much about it but mdify uses yaml.safeLoad.

[peterbe]

I tried to write a quick patch but I noticed that one of the examples uses un-"safe" YAML which would break if you use yaml.safeLoad().
So I guess it would need to be something like this:

fm(payload, { yaml: 'unsafe' })

if you need to support unsafe Yaml parsing.

[jxson]

I don't mind changing the example to make the code more secure. If you submit a PR I will publish it as a new major version to prevent breaking folks who relied on the old functionality.

I like your idea of passing in an option to toggle safe/unsafe and defaulting to safe parsing.

[ajinabraham]

This is a widely used library. If it is not required, please switch to safeLoad() otherwise warn people not to run fm with untrusted user input.

A PoC
example.md

---
toString: !<tag:yaml.org,2002:js/function>"function(){console.log(1)}"
description: Nothing to see here 
---

test.js

var fs = require('fs')
  , fm = require('front-matter')

fs.readFile('./example.md', 'utf8', function(err, data){
  if (err) throw err
  var content = fm(data)
  var x = content.attributes + 'Hello';
})

$ node test.js
1

[jxson]

@ajinabraham ACK, I think the PR from @peterbe will cover your asks.

[ajinabraham]

PR looks good to me 👍