fix: YAMLの安全な読み込みに変更

nacchan99 · nacchan99 · commit 81e7ebc85ac5 · 2025-07-17T11:52:11.000+09:00
- YAML.load_file から YAML.safe_load へ置き換え
diff --git a/lib/tasks/fetch_news.rake b/lib/tasks/fetch_news.rake
@@ -31,7 +31,7 @@ namespace :news do
     # 既存の news.yml を読み込み
     yaml_path = Rails.root.join('db', 'news.yml')
     existing_news = if File.exist?(yaml_path)
-      YAML.load_file(yaml_path)['news'] || []
+      YAML.safe_load(File.read(yaml_path), permitted_classes: [Time], aliases: true)['news'] || []
     else
       []
     end
diff --git a/lib/tasks/import_news.rake b/lib/tasks/import_news.rake
@@ -4,7 +4,7 @@ namespace :news do
   desc "db/news.yml を読み込んで News テーブルを upsert する"
   task import_from_yaml: :environment do
     yaml_path = Rails.root.join('db', 'news.yml')
-    raw       = YAML.load_file(yaml_path)
+    raw       = YAML.safe_load(File.read(yaml_path), permitted_classes: [Time], aliases: true)
 
     # entries を計算
     entries = raw['news'] || []
