Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a false positive for Security/YamlLoad #10424

Merged
merged 1 commit into from Feb 20, 2022
Merged

Fix a false positive for Security/YamlLoad #10424

merged 1 commit into from Feb 20, 2022

Conversation

koic
Copy link
Member

@koic koic commented Feb 17, 2022

This PR fixes a false positive for Security/YamlLoad when using Ruby 3.1+ (Psych 4).
And it also makes the examples a bit more specific.

Ruby 3.1+ (Psych 4) uses Psych.load as Psych.safe_load by default.
ruby/psych#487

We may consider removing this cop in the future, but not yet.

Before submitting the PR make sure the following are checked:

  • The PR relates to only one subject with a clear title and description in grammatically correct, complete sentences.
  • Wrote good commit messages.
  • Commit message starts with [Fix #issue-number] (if the related issue exists).
  • Feature branch is up-to-date with master (if not - rebase it).
  • Squashed related commits together.
  • Added tests.
  • Ran bundle exec rake default. It executes all tests and runs RuboCop on its own code.
  • Added an entry (file) to the changelog folder named {change_type}_{change_description}.md if the new code introduces user-observable changes. See changelog entry format for details.

@koic
Fix a false positive for Security/YamlLoad
0a8ad1b 
This PR fixes a false positive for `Security/YamlLoad`
when using Ruby 3.1+ (Psych 4).
And it also makes the examples a bit more specific.

Ruby 3.1+ (Psych 4) uses `Psych.load` as `Psych.safe_load` by default.
ruby/psych#487

We may consider removing this cop in the future, but not yet.
@koic koic force-pushed the fix_a_false_positive_for_security_yaml_load branch from e89f7e2 to 0a8ad1b Compare February 17, 2022 17:11
@bbatsov bbatsov merged commit 4fa929d into rubocop:master Feb 20, 2022
@bbatsov
Copy link
Collaborator

bbatsov commented Feb 20, 2022

We may consider removing this cop in the future, but not yet.

Indeed.

@koic koic deleted the fix_a_false_positive_for_security_yaml_load branch February 21, 2022 01:44
@Quiwin Quiwin mentioned this pull request Apr 14, 2022
Merged
koic added a commit that referenced this pull request Feb 29, 2024
@koic
Tweak specs for Security/YAMLLoad
8acce28 
Follow #10424.

Ruby 3.1+ (Psych 4) uses `Psych.load` as `Psych.safe_load` by default.
So, only Ruby 3.0 and earlier will be warned about using `YAML.load`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@koic @bbatsov