diff options
| author | Aaron Patterson <[email protected]> | 2021-05-10 09:50:06 -0700 |
|---|---|---|
| committer | Hiroshi SHIBATA <[email protected]> | 2021-05-17 11:20:45 +0900 |
| commit | c7c2ad5749f7f0767ef38be160f4b391228396c1 (patch) | |
| tree | 38a9d1db4a3a5dd2f5efa3705c9f3be51ccadef5 /test/psych/test_hash.rb | |
| parent | bcaa6aeceadd34eb6a0de1d55bf17ecb153a7916 (diff) | |
[ruby/psych] Introduce `Psych.unsafe_load`
In future versions of Psych, the `load` method will be mostly the same
as the `safe_load` method. In other words, the `load` method won't
allow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load *trusted* documents can use the
`unsafe_load` method.
This commit introduces the `unsafe_load` method so that people can
incrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
`safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0
smoothly.
https://github.com/ruby/psych/commit/cb50aa8d3f
Diffstat (limited to 'test/psych/test_hash.rb')
| -rw-r--r-- | test/psych/test_hash.rb | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/test/psych/test_hash.rb b/test/psych/test_hash.rb index 32ed7ec68c..5374781339 100644 --- a/test/psych/test_hash.rb +++ b/test/psych/test_hash.rb @@ -39,7 +39,7 @@ module Psych def test_hash_with_ivar t1 = HashWithIvar.new t1[:foo] = :bar - t2 = Psych.load(Psych.dump(t1)) + t2 = Psych.unsafe_load(Psych.dump(t1)) assert_equal t1, t2 assert_cycle t1 end @@ -54,14 +54,14 @@ module Psych def test_custom_initialized a = [1,2,3,4,5] t1 = HashWithCustomInit.new(a) - t2 = Psych.load(Psych.dump(t1)) + t2 = Psych.unsafe_load(Psych.dump(t1)) assert_equal t1, t2 assert_cycle t1 end def test_custom_initialize_no_ivar t1 = HashWithCustomInitNoIvar.new(nil) - t2 = Psych.load(Psych.dump(t1)) + t2 = Psych.unsafe_load(Psych.dump(t1)) assert_equal t1, t2 assert_cycle t1 end @@ -70,25 +70,25 @@ module Psych x = X.new x[:a] = 'b' x.instance_variable_set :@foo, 'bar' - dup = Psych.load Psych.dump x + dup = Psych.unsafe_load Psych.dump x assert_cycle x assert_equal 'bar', dup.instance_variable_get(:@foo) assert_equal X, dup.class end def test_load_with_class_syck_compatibility - hash = Psych.load "--- !ruby/object:Hash\n:user_id: 7\n:username: Lucas\n" + hash = Psych.unsafe_load "--- !ruby/object:Hash\n:user_id: 7\n:username: Lucas\n" assert_equal({ user_id: 7, username: 'Lucas'}, hash) end def test_empty_subclass assert_match "!ruby/hash:#{X}", Psych.dump(X.new) - x = Psych.load Psych.dump X.new + x = Psych.unsafe_load Psych.dump X.new assert_equal X, x.class end def test_map - x = Psych.load "--- !map:#{X} { }\n" + x = Psych.unsafe_load "--- !map:#{X} { }\n" assert_equal X, x.class end @@ -102,7 +102,7 @@ module Psych end def test_ref_append - hash = Psych.load(<<-eoyml) + hash = Psych.unsafe_load(<<-eoyml) --- foo: &foo hello: world |