Merge pull request #589 from sparklemotion/flavorjones-use-psych-safe…

…-load use safe_load when using Psych >= 3.1
sparklemotion · Jan 17, 2022 · ec9af73 · ec9af73
2 parents 4a0dfe5 + 1c099a6
commit ec9af73
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/lib/mechanize/cookie_jar.rb b/lib/mechanize/cookie_jar.rb
@@ -149,7 +149,7 @@ def load(input, *options)
       return super(input, opthash) if opthash[:format] != :yaml
 
       begin
-        data = YAML.load(input) # rubocop:disable Security/YAMLLoad
+        data = load_yaml(input)
       rescue ArgumentError
         @logger.warn "unloadable YAML cookie data discarded" if @logger
         return self
@@ -174,6 +174,18 @@ def load(input, *options)
         return self
       end
     end
+
+    private
+
+    if YAML.name == "Psych" && Gem::Requirement.new(">= 3.1").satisfied_by?(Gem::Version.new(Psych::VERSION))
+      def load_yaml(yaml)
+        YAML.safe_load(yaml, aliases: true, permitted_classes: ["Mechanize::Cookie", "Time"])
+      end
+    else
+      def load_yaml(yaml)
+        YAML.load(yaml) # rubocop:disable Security/YAMLLoad
+      end
+    end
   end
 
   class ::HTTP::CookieJar