Use YAML.safe_load when loading custom config

There's a vulnerability in `YAML.load` which can enable arbitrary code to be run on our sytems. `YAML.safe_load` does not deserialize unsafe classes. Related reading: http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-vulnerability-explained/ ruby/psych#119 http://docs.ruby-lang.org/en/2.1.0/Psych.html#method-c-safe_load
houndci · Feb 26, 2015 · 20cf002 · 20cf002
1 parent 331eecd
commit 20cf002
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/app/models/repo_config.rb b/app/models/repo_config.rb
@@ -93,7 +93,7 @@ def load_javascript_ignore
   end
 
   def parse_yaml(content)
-    YAML.load(content)
+    YAML.safe_load(content)
   rescue Psych::SyntaxError
     {}
   end