Merge pull request #9391 from jhawthorn/fix_safe_yaml_load

Make SafeYAML.load an alias of safe_load

Author: hsbt

lib/rubygems/commands/owner_command.rb

@@ -75,7 +75,7 @@ def show_owners(name)
     end
 
     with_response response do |resp|
-      owners = Gem::SafeYAML.load clean_text(resp.body)
+      owners = Gem::SafeYAML.safe_load clean_text(resp.body)
 
       say "Owners for gem: #{name}"
       owners.each do |owner|

lib/rubygems/safe_yaml.rb

@@ -48,21 +48,8 @@ def self.safe_load(input)
       end
     end
 
-    def self.load(input)
-      if Gem.use_psych?
-        if ::Psych.respond_to?(:unsafe_load)
-          ::Psych.unsafe_load(input)
-        else
-          ::Psych.load(input)
-        end
-      else
-        Gem::YAMLSerializer.load(
-          input,
-          permitted_classes: PERMITTED_CLASSES,
-          permitted_symbols: PERMITTED_SYMBOLS,
-          aliases: aliases_enabled?
-        )
-      end
+    class << self
+      alias_method :load, :safe_load
     end
   end
 end

test/rubygems/helper.rb

@@ -735,10 +735,10 @@ def write_dummy_extconf(gem_name)
   end
 
   ##
-  # Load a YAML string, the psych 3 way
+  # Load a YAML string using the safe loader with gem-spec permitted classes.
 
   def load_yaml(yaml)
-    Gem::SafeYAML.load(yaml)
+    Gem::SafeYAML.safe_load(yaml)
   end
 
   ##

test/rubygems/test_gem_commands_owner_command.rb

@@ -57,10 +57,6 @@ def test_show_owners
   def test_show_owners_dont_load_objects
     Gem.load_yaml
 
-    # Gem::SafeYAML.load uses Psych.unsafe_load when Psych is enabled,
-    # which does not restrict classes. Only YAMLSerializer restricts object tags.
-    pend "Gem::SafeYAML.load uses Psych.unsafe_load which does not restrict classes" if Gem.use_psych?
-
     response = <<EOF
 ---
 - email: !ruby/object:Object {}