Use safe_load when using Psych >=3.1

2026-03-25 08:55:53 +00:00 · 2021-06-07 12:47:01 +09:00 · 2021-06-07 12:47:01 +09:00 · 7a1bf4fbb3
commit 7a1bf4fbb3
parent 9eb68dcce5
1 changed files with 12 additions and 2 deletions
--- a/lib/http/cookie_jar/yaml_saver.rb
+++ b/lib/http/cookie_jar/yaml_saver.rb
@ -21,7 +21,7 @@ class HTTP::CookieJar::YAMLSaver < HTTP::CookieJar::AbstractSaver

  def load(io, jar)
    begin
-      data = YAML.load(io)
+      data = load_yaml(io)
    rescue ArgumentError => e
      case e.message
      when %r{\Aundefined class/module Mechanize::}
@ -31,7 +31,7 @@ class HTTP::CookieJar::YAMLSaver < HTTP::CookieJar::AbstractSaver
          yaml = io.read
          # a gross hack
          yaml.gsub!(%r{^(    [^ ].*:) !ruby/object:Mechanize::Cookie$}, "\\1")
-          data = YAML.load(yaml)
+          data = load_yaml(yaml)
        rescue Errno::ESPIPE
          @logger.warn "could not rewind the stream for conversion" if @logger
        rescue ArgumentError
@ -73,4 +73,14 @@ class HTTP::CookieJar::YAMLSaver < HTTP::CookieJar::AbstractSaver
  def default_options
    {}
  end
+
+  if YAML.name == 'Psych' && Psych::VERSION >= '3.1'
+    def load_yaml(yaml)
+      YAML.safe_load(yaml, :permitted_classes => %w[Time HTTP::Cookie Mechanize::Cookie DomainName])
+    end
+  else
+    def load_yaml(yaml)
+      YAML.load(yaml)
+    end
+  end
 end