Document the fact that ParseYaml middleware is unsafe

We can't just switch to `YAML.safe_load()` ourselves since that would break backwards compatibility. For instance, `safe_load` returns nil for empty yaml documents where `load` returns `false`. Also, `safe_load` will refuse to parse Symbol keys since DoS attacks targeting symbols are a real thread. Finally, not every Ruby version has a Psych that supports `safe_laod`. ruby/psych#119 (comment) Fixes #92
lostisland · Jul 7, 2015 · 179d097 · 179d097
1 parent bcc9f9b
commit 179d097
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/lib/faraday_middleware/response/parse_yaml.rb b/lib/faraday_middleware/response/parse_yaml.rb
@@ -2,6 +2,23 @@
 
 module FaradayMiddleware
   # Public: Parse response bodies as YAML.
+  #
+  # Warning: this uses `YAML.load()` by default and as such is not safe against
+  # code injection or DoS attacks. If you're loading resources from an
+  # untrusted host or over HTTP, you should subclass this middleware and
+  # redefine it to use `safe_load()` if you're using a Psych version that
+  # supports it:
+  #
+  #     class SafeYaml < FaradayMiddleware::ParseYaml
+  #       define_parser do |body|
+  #         YAML.safe_load(body)
+  #       end
+  #     end
+  #
+  #     Faraday.new(..) do |config|
+  #       config.use SafeYaml
+  #       ...
+  #     end
   class ParseYaml < ResponseMiddleware
     dependency 'yaml'