Config.read_config_file - use safe_load_file if available

MSP-Greg · MSP-Greg · commit 285278b78680 · 2021-05-18T20:00:12.000-05:00
Psych 4+ may change load_file behavior
diff --git a/lib/yard/config.rb b/lib/yard/config.rb
@@ -236,7 +236,11 @@ def self.translate_plugin_names
     def self.read_config_file
       if File.file?(CONFIG_FILE)
         require 'yaml'
-        YAML.load_file(CONFIG_FILE)
+        if YAML.respond_to?(:safe_load_file)
+          YAML.safe_load_file(CONFIG_FILE, permitted_classes: [SymbolHash, Symbol])
+        else
+          YAML.load_file(CONFIG_FILE)
+        end
       else
         {}
       end
diff --git a/spec/config_spec.rb b/spec/config_spec.rb
@@ -17,7 +17,13 @@
     it "overwrites options with data in ~/.yard/config" do
       expect(File).to receive(:file?).with(YARD::Config::CONFIG_FILE).and_return(true)
       expect(File).to receive(:file?).with(YARD::Config::IGNORED_PLUGINS).and_return(false)
-      expect(YAML).to receive(:load_file).with(YARD::Config::CONFIG_FILE).and_return('test' => true)
+      if YAML.respond_to?(:safe_load_file)
+        expect(YAML).to receive(:safe_load_file)
+          .with(YARD::Config::CONFIG_FILE, permitted_classes: [SymbolHash, Symbol])
+          .and_return('test' => true)
+      else
+        expect(YAML).to receive(:load_file).with(YARD::Config::CONFIG_FILE).and_return('test' => true)
+      end
       YARD::Config.load
       expect(YARD::Config.options[:test]).to be true
     end
