Skip to content

Commit ca1024e

Browse files
committed
Ruby: Reword unsafe deserialization qhelp
1 parent e515981 commit ca1024e

File tree

1 file changed

+6
-7
lines changed

1 file changed

+6
-7
lines changed

ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,12 @@ deserialization of arbitrary objects.
1919
</p>
2020

2121
<p>
22-
If deserializing an untrusted YAML document using the <code>psych</code> gem
23-
prior to version 4.0.0, the <code>load</code> method is vulnerable. Use
24-
<code>safe_load</code> instead. With <code>psych</code> version 4.0.0 and later,
25-
the <code>load</code> is safe. The same applies to <code>load_file</code>.
26-
<code>load_stream</code> is vulnerable in all versions. The safe versions of these
27-
methods (<code>safe_load</code> and <code>safe_load_file</code>) are not vulnerable
28-
in any known version.
22+
If deserializing an untrusted YAML document using the <code>psych</code> gem,
23+
prefer the <code>safe_load</code> and <code>safe_load_file</code> methods over
24+
<code>load</code> and <code>load_file</code>, as the former will safely
25+
handle untrusted data. Avoid passing untrusted data to the <code>load_stream</code>
26+
method. In <code>psych</code> version 4.0.0 and above, the <code>load</code> can
27+
safely be used.
2928
</p>
3029

3130
<p>

0 commit comments

Comments
 (0)