devise_ldap_authenticatable icon indicating copy to clipboard operation
devise_ldap_authenticatable copied to clipboard

Published 20 hours ago verified publisher icon cschiewek

Use YAML.unsafe_load when available

Open olleolleolle opened this issue 3 years ago • 7 comments

Informed by https://github.com/ruby/psych/issues/533#issuecomment-1023561867, this Issue notes the availability of the YAML.unsafe_load method, in Psych 4.0.

  • use YAML.unsafe_load if available, OR
  • use YAML.safe_load if available, enabling aliases and all the permitted classes
  • use YAML.load if those methods aren't available (lower versions of Psych)

Location of use: https://github.com/cschiewek/devise_ldap_authenticatable/blob/default/lib/devise_ldap_authenticatable/ldap/connection.rb

olleolleolle avatar Jan 28 '22 07:01 olleolleolle

Hi @olleolleolle,

it does not use unsafe_load, but should be compatible with psych <4 as well as with psych > 4. The solution is copied from rails...

https://github.com/cschiewek/devise_ldap_authenticatable/pull/276

Edit: As a workaround I am just using gem 'psych', '< 4.0'

schlumpfit avatar Feb 24 '22 13:02 schlumpfit

would be nice to have a new release with @schlumpfit proposal. with ruby 3.0.4 this problem is present in multiples applications that are using yaml aliases

net1957 avatar May 17 '22 19:05 net1957

same problem

Ivanov-Anton avatar Jun 13 '23 13:06 Ivanov-Anton

seems like this issue has already fixes in the psych repo follow the link below

https://github.com/ruby/psych/pull/567

Ivanov-Anton avatar Jun 19 '23 19:06 Ivanov-Anton

yes, but this gem was not modified to allow aliases

net1957 avatar Jun 22 '23 21:06 net1957

What do you suggest to me?

Maybe do not use aliases in the LDAP YML file? Or something else?

Ivanov-Anton avatar Jun 22 '23 21:06 Ivanov-Anton

pass aliases: true to YAML.safe_load

see https://github.com/cschiewek/devise_ldap_authenticatable/pull/276

net1957 avatar Jun 23 '23 14:06 net1957