class RuboCop::Cop::Security::YAMLLoad

YAML.dump(foo)
YAML.load(“— !ruby/object:Foo {}”, permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
YAML.safe_load(“— !ruby/object:Foo {}”, permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.safe_load(“— !ruby/object:Foo {}”, [Foo]) # Ruby 2.5 (Psych 3)
# good
YAML.load(“— !ruby/object:Foo {}”) # Psych 3 is unsafe by default
# bad
@example
in the YAML payload, since ‘YAML.safe_load` is more restrictive.
The behavior of the code might change depending on what was
@safety
NOTE: Ruby 3.1+ (Psych 4) uses `Psych.load` as `Psych.safe_load` by default.
loading from an untrusted source.
potential security issues leading to remote code execution when
Checks for the use of YAML class methods which have

def on_send(node)

def on_send(node)
  return if target_ruby_version >= 3.1
  yaml_load(node) do
    add_offense(node.loc.selector) do |corrector|
      corrector.replace(node.loc.selector, 'safe_load')
    end
  end
end

class RuboCop::Cop::Security::YAMLLoad

def on_send(node)

Namespace

Parent class

Extended Modules

Instance Methods

Defined in