diff options
author | Aaron Patterson <tenderlove@ruby-lang.org> | 2021-05-10 09:50:06 -0700 |
---|---|---|
committer | Aaron Patterson <tenderlove@ruby-lang.org> | 2021-05-13 09:36:23 -0700 |
commit | cb50aa8d3fb8be01897becff77b4922b12a0ab4c (patch) | |
tree | 400c2acb636fe2e4f0a56920165648f28132a9cd /test/psych/test_merge_keys.rb | |
parent | 64bee7e2dee741a9f64e5c1b2122c07ef3e6c81a (diff) | |
download | psych-cb50aa8d3fb8be01897becff77b4922b12a0ab4c.zip |
Introduce `Psych.unsafe_load`
In future versions of Psych, the `load` method will be mostly the same
as the `safe_load` method. In other words, the `load` method won't
allow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load *trusted* documents can use the
`unsafe_load` method.
This commit introduces the `unsafe_load` method so that people can
incrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
`safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0
smoothly.
Diffstat (limited to 'test/psych/test_merge_keys.rb')
-rw-r--r-- | test/psych/test_merge_keys.rb | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/test/psych/test_merge_keys.rb b/test/psych/test_merge_keys.rb index 24f2d62..dcf4f1f 100644 --- a/test/psych/test_merge_keys.rb +++ b/test/psych/test_merge_keys.rb @@ -34,7 +34,7 @@ map: end def test_explicit_string - doc = Psych.load <<-eoyml + doc = Psych.unsafe_load <<-eoyml a: &me { hello: world } b: { !!str '<<': *me } eoyml @@ -55,7 +55,7 @@ product: !ruby/object:#{Product.name} <<: *foo eoyml - hash = Psych.load s + hash = Psych.unsafe_load s assert_equal({"bar" => 10}, hash["foo"]) product = hash["product"] assert_equal 10, product.bar @@ -67,7 +67,7 @@ defaults: &defaults development: <<: *defaults eoyml - assert_equal({'<<' => nil }, Psych.load(yaml)['development']) + assert_equal({'<<' => nil }, Psych.unsafe_load(yaml)['development']) end def test_merge_array @@ -77,7 +77,7 @@ foo: &hello baz: <<: *hello eoyml - assert_equal({'<<' => [1]}, Psych.load(yaml)['baz']) + assert_equal({'<<' => [1]}, Psych.unsafe_load(yaml)['baz']) end def test_merge_is_not_partial @@ -89,9 +89,9 @@ foo: &hello baz: <<: [*hello, *default] eoyml - doc = Psych.load yaml + doc = Psych.unsafe_load yaml refute doc['baz'].key? 'hello' - assert_equal({'<<' => [[1], {"hello"=>"world"}]}, Psych.load(yaml)['baz']) + assert_equal({'<<' => [[1], {"hello"=>"world"}]}, Psych.unsafe_load(yaml)['baz']) end def test_merge_seq_nil @@ -100,7 +100,7 @@ foo: &hello baz: <<: [*hello] eoyml - assert_equal({'<<' => [nil]}, Psych.load(yaml)['baz']) + assert_equal({'<<' => [nil]}, Psych.unsafe_load(yaml)['baz']) end def test_bad_seq_merge @@ -109,7 +109,7 @@ defaults: &defaults [1, 2, 3] development: <<: *defaults eoyml - assert_equal({'<<' => [1,2,3]}, Psych.load(yaml)['development']) + assert_equal({'<<' => [1,2,3]}, Psych.unsafe_load(yaml)['development']) end def test_missing_merge_key @@ -134,7 +134,7 @@ bar: hash = { "foo" => { "hello" => "world"}, "bar" => { "hello" => "world", "baz" => "boo" } } - assert_equal hash, Psych.load(yaml) + assert_equal hash, Psych.unsafe_load(yaml) end def test_multiple_maps @@ -159,7 +159,7 @@ bar: 'label' => 'center/big' } - assert_equal hash, Psych.load(yaml)[4] + assert_equal hash, Psych.unsafe_load(yaml)[4] end def test_override @@ -185,7 +185,7 @@ bar: 'label' => 'center/big' } - assert_equal hash, Psych.load(yaml)[4] + assert_equal hash, Psych.unsafe_load(yaml)[4] end end end |