In future versions of Psych, the load method will be mostly the same
as the safe_load method. In other words, the load method won't
allow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load trusted documents can use the unsafe_load method.
This commit introduces the unsafe_load method so that people can
incrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to safe_load or unsafe_load as required, and then upgrade to 4.0.0
smoothly.
Added by tenderlovemaking (Aaron Patterson) about 4 years ago
[ruby/psych] Introduce
Psych.unsafe_loadIn future versions of Psych, the
loadmethod will be mostly the sameas the
safe_loadmethod. In other words, theloadmethod won'tallow arbitrary object deserialization (which can be used to escalate to
an RCE). People that need to load trusted documents can use the
unsafe_loadmethod.This commit introduces the
unsafe_loadmethod so that people canincrementally upgrade. For example, if they try to upgrade to 4.0.0 and
something breaks, they can downgrade, audit callsites, change to
safe_loadorunsafe_loadas required, and then upgrade to 4.0.0smoothly.
https://github.com/ruby/psych/commit/cb50aa8d3f