From c7c2ad5749f7f0767ef38be160f4b391228396c1 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Mon, 10 May 2021 09:50:06 -0700
Subject: [ruby/psych] Introduce `Psych.unsafe_load`

In future versions of Psych, the `load` method will be mostly the same
as the `safe_load` method.  In other words, the `load` method won't
allow arbitrary object deserialization (which can be used to escalate to
an RCE).  People that need to load *trusted* documents can use the
`unsafe_load` method.

This commit introduces the `unsafe_load` method so that people can
incrementally upgrade.  For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
`safe_load` or `unsafe_load` as required, and then upgrade to 4.0.0
smoothly.

https://github.com/ruby/psych/commit/cb50aa8d3f
---
 ext/psych/lib/psych.rb          | 8 +++++---
 ext/psych/lib/psych/versions.rb | 4 ++--
 2 files changed, 7 insertions(+), 5 deletions(-)

(limited to 'ext/psych/lib')

diff --git a/ext/psych/lib/psych.rb b/ext/psych/lib/psych.rb
index cedf0a4ad6..34d2218549 100644
--- a/ext/psych/lib/psych.rb
+++ b/ext/psych/lib/psych.rb
@@ -271,7 +271,7 @@ module Psych
   # YAML documents that are supplied via user input.  Instead, please use the
   # safe_load method.
   #
-  def self.load yaml, legacy_filename = NOT_GIVEN, filename: nil, fallback: false, symbolize_names: false, freeze: false
+  def self.unsafe_load yaml, legacy_filename = NOT_GIVEN, filename: nil, fallback: false, symbolize_names: false, freeze: false
     if legacy_filename != NOT_GIVEN
       warn_with_uplevel 'Passing filename with the 2nd argument of Psych.load is deprecated. Use keyword argument like Psych.load(yaml, filename: ...) instead.', uplevel: 1 if $VERBOSE
       filename = legacy_filename
@@ -281,6 +281,7 @@ module Psych
     return fallback unless result
     result.to_ruby(symbolize_names: symbolize_names, freeze: freeze)
   end
+  class << self; alias :load :unsafe_load; end
 
   ###
   # Safely load the yaml string in +yaml+.  By default, only the following
@@ -577,11 +578,12 @@ module Psych
   # NOTE: This method *should not* be used to parse untrusted documents, such as
   # YAML documents that are supplied via user input.  Instead, please use the
   # safe_load_file method.
-  def self.load_file filename, **kwargs
+  def self.unsafe_load_file filename, **kwargs
     File.open(filename, 'r:bom|utf-8') { |f|
-      self.load f, filename: filename, **kwargs
+      self.unsafe_load f, filename: filename, **kwargs
     }
   end
+  class << self; alias :load_file :unsafe_load_file; end
 
   ###
   # Safely loads the document contained in +filename+.  Returns the yaml contained in
diff --git a/ext/psych/lib/psych/versions.rb b/ext/psych/lib/psych/versions.rb
index b0ec018b63..acb21336c4 100644
--- a/ext/psych/lib/psych/versions.rb
+++ b/ext/psych/lib/psych/versions.rb
@@ -1,8 +1,8 @@
-
 # frozen_string_literal: true
+
 module Psych
   # The version of Psych you are using
-  VERSION = '3.3.1'
+  VERSION = '3.3.2'
 
   if RUBY_ENGINE == 'jruby'
     DEFAULT_SNAKEYAML_VERSION = '1.28'.freeze
-- 
cgit v1.2.3