Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
There's a vulnerability in `YAML.load` which can enable arbitrary code to be run. `YAML.safe_load` does not deserialize unsafe classes. Related reading: * http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-vulnerability-explained/ * ruby/psych#119 * http://docs.ruby-lang.org/en/2.1.0/Psych.html#method-c-safe_load While Rubocop is generally run locally, it could be used in server-side, hosted environments. I can't think of a downside to using the `safe_load` version. This change is intended to maintain backwards compatibility with Ruby versions that appear to be supported by Rubocop (judging by the `.travis.yml` file). `Rexexp` needs to be whitelisted.
- Loading branch information