File tree 1 file changed +6
-7
lines changed
ruby/ql/src/queries/security/cwe-502
1 file changed +6
-7
lines changed Original file line number Diff line number Diff line change @@ -19,13 +19,12 @@ deserialization of arbitrary objects.
19
19
</p >
20
20
21
21
<p >
22
- If deserializing an untrusted YAML document using the <code >psych</code > gem
23
- prior to version 4.0.0, the <code >load</code > method is vulnerable. Use
24
- <code >safe_load</code > instead. With <code >psych</code > version 4.0.0 and later,
25
- the <code >load</code > is safe. The same applies to <code >load_file</code >.
26
- <code >load_stream</code > is vulnerable in all versions. The safe versions of these
27
- methods (<code >safe_load</code > and <code >safe_load_file</code >) are not vulnerable
28
- in any known version.
22
+ If deserializing an untrusted YAML document using the <code >psych</code > gem,
23
+ prefer the <code >safe_load</code > and <code >safe_load_file</code > methods over
24
+ <code >load</code > and <code >load_file</code >, as the former will safely
25
+ handle untrusted data. Avoid passing untrusted data to the <code >load_stream</code >
26
+ method. In <code >psych</code > version 4.0.0 and above, the <code >load</code > can
27
+ safely be used.
29
28
</p >
30
29
31
30
<p >
You can’t perform that action at this time.
0 commit comments