summaryrefslogtreecommitdiff
path: root/lib/psych.rb
AgeCommit message (Collapse)Author
2021-05-21Merge pull request #495 from Shopify/safe-dumpHEADmasterAaron Patterson
Implement YAML.safe_dump to make safe_load more usable.
2021-05-19Implement YAML.safe_dump to make safe_load more usable.Jean Boussier
In case where Psych is used as a two way serializers, e.g. to serialize some cache or config, it is preferable to have the same restrictions on both load and dump. Otherwise you might dump and persist some objects payloads that you later won't be able to read.
2021-05-17Make YAML.load_file use YAML.load instead of safe_loadYusuke Endoh
YAML.load and YAML.safe_load are different a little; the former allows Symbol by default but the latter doesn't. So YAML.load_file and YAML.safe_load_file should reflect the difference. Fixes #490
2021-05-13remove deprecated interfaceAaron Patterson
2021-05-13Use Psych.safe_load by defaultAaron Patterson
Psych.load is not safe for use with untrusted data. Too many applications make the mistake of using `Psych.load` with untrusted data and that ends up with some kind of security vulnerability. This commit changes the default `Psych.load` to use `safe_load`. Users that want to parse trusted data can use Psych.unsafe_load.
2021-05-13Introduce `Psych.unsafe_load`Aaron Patterson
In future versions of Psych, the `load` method will be mostly the same as the `safe_load` method. In other words, the `load` method won't allow arbitrary object deserialization (which can be used to escalate to an RCE). People that need to load *trusted* documents can use the `unsafe_load` method. This commit introduces the `unsafe_load` method so that people can incrementally upgrade. For example, if they try to upgrade to 4.0.0 and something breaks, they can downgrade, audit callsites, change to `safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0 smoothly.
2020-12-23[ruby/psych] Make Ractor-ready.Marc-Andre Lafortune
Config is Ractor-local. Benchmarking reveals that using `Ractor.local_storage` for storing cache is similar to accessing a constant (~15% slower).
2020-12-23[ruby/psych] Don't use instance variables directly for configMarc-Andre Lafortune
2020-12-23[ruby/psych] Freeze constants.Marc-Andre Lafortune
Improves Ractor-readiness.
2020-12-14Merge pull request #459 from tbrisker/patch-1Hiroshi SHIBATA
Remove unneeded assignment and condition
2020-11-12Add `Psych.safe_load_file`. Tweak doc to provide `safe_` examples.Marc-Andre Lafortune
2020-09-10Forward keyword arguments in load_file and load_streamJean Boussier
2020-08-01Remove unneeded assignment and conditionTomer Brisker
Since we already `return fallback` if `result` is falsy, we don't need to check again if it's truthy and reassign the `to_ruby` result.
2019-11-28Implement a freeze load optionJean Boussier
2019-11-28Refactor `symbolize_names`Jean Boussier
2019-10-17Add a note about safe_loadAaron Patterson
2019-07-21Drop to support fat gem support.Hiroshi SHIBATA
ref. https://github.com/ruby/bigdecimal/pull/149
2018-11-23Add uplelvel to deprecation warning of PsychKoichi ITO
This is porting ruby/ruby#1992 to upstream. This PR adds `uplelvel` to deprecation warning of Psych. The `uplevel` option was introduced from Ruby 2.5. ruby/psych needs to support Ruby 2.4 or lower. This PR has `warn_with_uplevel` method emulating `warn 'message', uplevel: 1` in Ruby 2.4 or lower. And this PR relaxes the warning. https://github.com/ruby/ruby/pull/1992#discussion_r227214370 ## Summary The deprecation warning log has been added the following commit. https://github.com/ruby/ruby/commit/1c92766bf0b7394057c00f576fce5464a3037fd9 The following is deprecation warning log change. ### Example code ```console % cat /tmp/psych_example.rb require 'psych' Psych.load("--- foo\n", nil) ``` ### Before ```console % ruby -v ruby 2.6.0dev (2018-10-21 trunk 65252) [x86_64-darwin17] % ruby /tmp/psych_example.rb warning: Passing filename with the 2nd argument of Psych.load is deprecated. Use keyword argument like Psych.load(yaml, filename: ...) instead. ``` ### After This patch helps detect argument locations that are deprecated usage. ```console % cd /path/to/ruby/repo % make install % /usr/local/bin/ruby /tmp/psych_example.rb /tmp/psych_example.rb:3: warning: Passing filename with the 2nd argument of Psych.load is deprecated. Use keyword argument like Psych.load(yaml, filename: ...) instead. ``` ## Other Information This log format refers to the deprecation warning of `ERB.new` in Ruby 2.6+. https://github.com/ruby/ruby/blob/v2_6_0_preview2/lib/erb.rb#L808
2018-11-10Use friendlier terminology in YAML.safe_loadJuanito Fatas
Replace keyword argumment whitelist_classes and whitelist_symbols. with permitted_classes and permitted_symbols.
2018-10-13Use secure connection for pyyaml.orgEspartaco Palma
2018-09-19use newer style of JRuby ext loading when availablekares
to be available since JRuby 9.2.1, avoids Java self-reflecting Signed-off-by: Charles Oliver Nutter <headius@headius.com>
2018-07-15Adding deprecation warnings to Psych unified interfaceGreg Houle
2018-07-13unifying interface of PsychGreg Houle
2018-04-24Add docs for fallback keyword argument of Psych.loadMarcus Stollsteimer
2018-04-24Fix fallback argument for Psych.loadMarcus Stollsteimer
This allows calling Psych.load with a fallback argument, similar to Psych.load_file. Before, for Psych.load this caused a "NoMethodError: undefined method `to_ruby'".
2018-03-02Document #dump optionszverok
2017-12-19Add more test cases for fallback of Psych.load_fileMarcus Stollsteimer
Add more test cases for the fallback keyword argument of Psych.load_file; additionally, fix an error in the docs.
2017-12-19Merge pull request #342 from stomar/fallback-keywordSHIBATA Hiroshi
Convert fallback option to a keyword argument
2017-12-02Convert fallback option to a keyword argumentMarcus Stollsteimer
Converting the optional fallback argument to a keyword argument fixes a problem that is caused by mixing optional arguments and optional keyword arguments. Without this change, a hash as fallback value is not handled correctly: in Psych.load("", nil, {}) the hash is not interpreted as the fallback value, and the default value for the fallback argument is used instead.
2017-12-01Improve docs for Psych.safe_loadMarcus Stollsteimer
Mention filename argument and symbolize_names keyword argument.
2017-11-30Add :symbolize_names option to .safe_load tooTakashi Kokubun
related to #333
2017-11-28Document symbolize_names keyword argument of Psych.loadMarcus Stollsteimer
2017-11-25Add :symbolize_names option to Psych.loadTakashi Kokubun
like JSON.parse.
2017-09-21Fixup Recorder example documentationPete Kinnecom
2017-07-12Fixed path for mingw binarySHIBATA Hiroshi
2017-07-12Added cross compilation task for mingw platformSHIBATA Hiroshi
2017-06-19make frozen_string_literal: trueSHIBATA Hiroshi
2017-03-27Remove to_yaml_propatiesSHIBATA Hiroshi
2016-11-18Unify Psych version constants to psych/versions.rb.SHIBATA Hiroshi
2016-11-17fix version constantAaron Patterson
2016-09-07bump version to 2.1.1SHIBATA Hiroshi
2016-06-24bump version to 2.1.0SHIBATA Hiroshi
2016-06-24Merge pull request #264 from tuexss/load_file-defaultAaron Patterson
Add optional fallback return value parameter
2016-02-23Temporary disabled to frozen literal string.SHIBATA Hiroshi
ref. https://github.com/ruby/ruby/commit/3e92b635fb5422207b7bbdc924e292e51e21f040
2016-01-08Add optional fallback return value parametertuexss
2015-12-22bump version to 2.0.17SHIBATA Hiroshi
2015-12-07updating psych to 2.0.16Aaron Patterson
2015-08-21bumping versionAaron Patterson
2015-05-27bumping versionAaron Patterson
2015-05-05bumping to 2.0.14.pre1Aaron Patterson
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 07:49:55 +0000