From 1c099a6e44428ac343fdb3513e240072b10521a0 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Mon, 17 Jan 2022 13:04:07 -0500 Subject: [PATCH] use safe_load when using Psych >= 3.1 see related https://github.com/sparklemotion/http-cookie/pull/34 --- lib/mechanize/cookie_jar.rb | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/mechanize/cookie_jar.rb b/lib/mechanize/cookie_jar.rb index 64a325b9..82bd942b 100644 --- a/lib/mechanize/cookie_jar.rb +++ b/lib/mechanize/cookie_jar.rb @@ -149,7 +149,7 @@ def load(input, *options) return super(input, opthash) if opthash[:format] != :yaml begin - data = YAML.load(input) # rubocop:disable Security/YAMLLoad + data = load_yaml(input) rescue ArgumentError @logger.warn "unloadable YAML cookie data discarded" if @logger return self @@ -174,6 +174,18 @@ def load(input, *options) return self end end + + private + + if YAML.name == "Psych" && Gem::Requirement.new(">= 3.1").satisfied_by?(Gem::Version.new(Psych::VERSION)) + def load_yaml(yaml) + YAML.safe_load(yaml, aliases: true, permitted_classes: ["Mechanize::Cookie", "Time"]) + end + else + def load_yaml(yaml) + YAML.load(yaml) # rubocop:disable Security/YAMLLoad + end + end end class ::HTTP::CookieJar