app/models/miq_ae_yaml_import_gitfs.rb from ManageIQ/manageiq-automation_engine

app/models/miq_ae_yaml_import_gitfs.rb

Summary

Maintainability

0 mins

Test Coverage

87%

Prefer using `YAML.safe_load` over `YAML.load`.
Open

    YAML.load(@gwt.read_file(file))

Found in app/models/miq_ae_yaml_import_gitfs.rb by rubocop

Read up
Read up
Create a ticket
Create a ticket
Exclude checks
- Disable engine
- Disable check

Checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.

NOTE: Ruby 3.1+ (Psych 4) uses Psych.load as Psych.safe_load by default.

Safety:

The behavior of the code might change depending on what was in the YAML payload, since YAML.safe_load is more restrictive.

Example:

# bad
YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default

# good
YAML.safe_load("--- !ruby/object:Foo {}", [Foo])                    # Ruby 2.5  (Psych 3)
YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo])      # Ruby 3.1+ (Psych 4)
YAML.dump(foo)

ManageIQ/manageiq-automation_engine

Summary

Maintainability

Test Coverage

Prefer using `YAML.safe_load` over `YAML.load`.
Open

Safety:

Example:

There are no issues that match your filters.

Category

Status

ManageIQ/manageiq-automation_engine

Summary

Maintainability

Test Coverage

Prefer using YAML.safe_load over YAML.load. Open

Safety:

Example:

There are no issues that match your filters.

Category

Status

Prefer using `YAML.safe_load` over `YAML.load`.
Open