Merge pull request #1385 from MSP-Greg/psych-4

Config.read_config_file - use safe_load_file if available
lsegal · Jun 1, 2022 · 4c0c9c8 · 4c0c9c8
2 parents a80a728 + 285278b
commit 4c0c9c8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/lib/yard/config.rb b/lib/yard/config.rb
@@ -236,7 +236,11 @@ def self.translate_plugin_names
     def self.read_config_file
       if File.file?(CONFIG_FILE)
         require 'yaml'
-        YAML.load_file(CONFIG_FILE)
+        if YAML.respond_to?(:safe_load_file)
+          YAML.safe_load_file(CONFIG_FILE, permitted_classes: [SymbolHash, Symbol])
+        else
+          YAML.load_file(CONFIG_FILE)
+        end
       else
         {}
       end

diff --git a/spec/config_spec.rb b/spec/config_spec.rb
@@ -17,7 +17,13 @@
     it "overwrites options with data in ~/.yard/config" do
       expect(File).to receive(:file?).with(YARD::Config::CONFIG_FILE).and_return(true)
       expect(File).to receive(:file?).with(YARD::Config::IGNORED_PLUGINS).and_return(false)
-      expect(YAML).to receive(:load_file).with(YARD::Config::CONFIG_FILE).and_return('test' => true)
+      if YAML.respond_to?(:safe_load_file)
+        expect(YAML).to receive(:safe_load_file)
+          .with(YARD::Config::CONFIG_FILE, permitted_classes: [SymbolHash, Symbol])
+          .and_return('test' => true)
+      else
+        expect(YAML).to receive(:load_file).with(YARD::Config::CONFIG_FILE).and_return('test' => true)
+      end
       YARD::Config.load
       expect(YARD::Config.options[:test]).to be true
     end