https://git.ruby-lang.org/ruby.git/commit/?id=c2a60fec2f

From c2a60fec2f79c05bdb865c143b6ad8eddfc6cc36 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@r...>
Date: Mon, 14 Dec 2020 20:13:12 +0900
Subject: Merge Psych-3.2.1 from ruby/psych


diff --git a/ext/psych/lib/psych.rb b/ext/psych/lib/psych.rb
index b09866a..c3292d9 100644
--- a/ext/psych/lib/psych.rb
+++ b/ext/psych/lib/psych.rb
@@ -74,12 +74,15 @@ require 'psych/class_loader' https://github.com/ruby/ruby/blob/trunk/ext/psych/lib/psych.rb#L74
 #
 # ==== Reading from a string
 #
-#   Psych.load("--- a")             # => 'a'
-#   Psych.load("---\n - a\n - b")   # => ['a', 'b']
+#   Psych.safe_load("--- a")             # => 'a'
+#   Psych.safe_load("---\n - a\n - b")   # => ['a', 'b']
+#   # From a trusted string:
+#   Psych.load("--- !ruby/range\nbegin: 0\nend: 42\nexcl: false\n") # => 0..42
 #
 # ==== Reading from a file
 #
-#   Psych.load_file("database.yml")
+#   Psych.safe_load_file("data.yml", permitted_classes: [Date])
+#   Psych.load_file("trusted_database.yml")
 #
 # ==== Exception handling
 #
@@ -276,8 +279,7 @@ module Psych https://github.com/ruby/ruby/blob/trunk/ext/psych/lib/psych.rb#L279
 
     result = parse(yaml, filename: filename)
     return fallback unless result
-    result = result.to_ruby(symbolize_names: symbolize_names, freeze: freeze) if result
-    result
+    result.to_ruby(symbolize_names: symbolize_names, freeze: freeze)
   end
 
   ###
@@ -571,12 +573,27 @@ module Psych https://github.com/ruby/ruby/blob/trunk/ext/psych/lib/psych.rb#L573
   # Load the document contained in +filename+.  Returns the yaml contained in
   # +filename+ as a Ruby object, or if the file is empty, it returns
   # the specified +fallback+ return value, which defaults to +false+.
+  #
+  # NOTE: This method *should not* be used to parse untrusted documents, such as
+  # YAML documents that are supplied via user input.  Instead, please use the
+  # safe_load_file method.
   def self.load_file filename, **kwargs
     File.open(filename, 'r:bom|utf-8') { |f|
       self.load f, filename: filename, **kwargs
     }
   end
 
+  ###
+  # Safely loads the document contained in +filename+.  Returns the yaml contained in
+  # +filename+ as a Ruby object, or if the file is empty, it returns
+  # the specified +fallback+ return value, which defaults to +false+.
+  # See safe_load for options.
+  def self.safe_load_file filename, **kwargs
+    File.open(filename, 'r:bom|utf-8') { |f|
+      self.safe_load f, filename: filename, **kwargs
+    }
+  end
+
   # :stopdoc:
   @domain_types = {}
   def self.add_domain_type domain, type_tag, &block
diff --git a/ext/psych/lib/psych/versions.rb b/ext/psych/lib/psych/versions.rb
index b357563..e458a66 100644
--- a/ext/psych/lib/psych/versions.rb
+++ b/ext/psych/lib/psych/versions.rb
@@ -2,7 +2,7 @@ https://github.com/ruby/ruby/blob/trunk/ext/psych/lib/psych/versions.rb#L2
 # frozen_string_literal: true
 module Psych
   # The version of Psych you are using
-  VERSION = '3.2.0'
+  VERSION = '3.2.1'
 
   if RUBY_ENGINE == 'jruby'
     DEFAULT_SNAKEYAML_VERSION = '1.26'.freeze
diff --git a/ext/psych/yaml/loader.c b/ext/psych/yaml/loader.c
index bcf3aee..78b87e6 100644
--- a/ext/psych/yaml/loader.c
+++ b/ext/psych/yaml/loader.c
@@ -541,4 +541,4 @@ yaml_parser_load_mapping_end(yaml_parser_t *parser, yaml_event_t *event, https://github.com/ruby/ruby/blob/trunk/ext/psych/yaml/loader.c#L541
     (void)POP(parser, *ctx);
 
     return 1;
-}
+}
\ No newline at end of file
diff --git a/test/psych/test_exception.rb b/test/psych/test_exception.rb
index e355c26..78601d0 100644
--- a/test/psych/test_exception.rb
+++ b/test/psych/test_exception.rb
@@ -118,6 +118,18 @@ module Psych https://github.com/ruby/ruby/blob/trunk/test/psych/test_exception.rb#L118
       }
     end
 
+    def test_safe_load_file_exception
+      Tempfile.create(['loadfile', 'yml']) {|t|
+        t.binmode
+        t.write '--- `'
+        t.close
+        ex = assert_raises(Psych::SyntaxError) do
+          Psych.safe_load_file t.path
+        end
+        assert_equal t.path, ex.file
+      }
+    end
+
     def test_psych_parse_takes_file
       ex = assert_raises(Psych::SyntaxError) do
         Psych.parse '--- `'
diff --git a/test/psych/test_psych.rb b/test/psych/test_psych.rb
index 7219e83..30612de 100644
--- a/test/psych/test_psych.rb
+++ b/test/psych/test_psych.rb
@@ -319,6 +319,18 @@ class TestPsych < Psych::TestCase https://github.com/ruby/ruby/blob/trunk/test/psych/test_psych.rb#L319
     }
   end
 
+  def test_safe_load_file_with_permitted_classe
+    Tempfile.create(['false', 'yml']) {|t|
+      t.binmode
+      t.write("--- !ruby/range\nbegin: 0\nend: 42\nexcl: false\n")
+      t.close
+      assert_equal 0..42, Psych.safe_load_file(t.path, permitted_classes: [Range])
+      assert_raises(Psych::DisallowedClass) {
+        Psych.safe_load_file(t.path)
+      }
+    }
+  end
+
   def test_parse_file
     Tempfile.create(['yikes', 'yml']) {|t|
       t.binmode
-- 
cgit v0.10.2


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/