Safe YAML loading.

mostlyobvious · mostlyobvious · commit 0d39bffdfddd · 2020-03-18T01:50:54.000+01:00
Allow only Time among primitives.
diff --git a/lib/nanoc/github.rb b/lib/nanoc/github.rb
@@ -27,7 +27,7 @@ def client
       def decode(content)
         content   = Base64.decode64(content)
         matchdata = content.match(REGEX)
-        metadata  = matchdata ? YAML.load(matchdata[:metadata]) : {}
+        metadata  = matchdata ? YAML.safe_load(matchdata[:metadata], permitted_classes: [Time]) : {}
 
         [metadata, content.gsub(REGEX, '')]
       end
