Merge pull request #112 from attack/safe-load

Use YAML#safe_load_file with permitted_classes

Author: JoeSouthan

lib/business/calendar.rb

@@ -2,6 +2,7 @@
 
 require "yaml"
 require "date"
+require "pathname"
 
 module Business
   class Calendar
@@ -37,9 +38,10 @@ def self.find_calendar_data(calendar_name)
         if path.is_a?(Hash)
           break path[calendar_name] if path[calendar_name]
         else
-          next unless File.exist?(File.join(path, "#{calendar_name}.yml"))
+          calendar_path = Pathname.new(path).join("#{calendar_name}.yml")
+          next unless calendar_path.exist?
 
-          break YAML.load_file(File.join(path, "#{calendar_name}.yml"))
+          break YAML.safe_load(calendar_path.read, permitted_classes: [Date])
         end
       end
     end

spec/business/calendar_spec.rb

@@ -13,9 +13,9 @@
     subject(:load_calendar) { described_class.load(calendar) }
 
     let(:dummy_calendar) { { "working_days" => ["monday"] } }
+    let(:fixture_path) { File.join(File.dirname(__FILE__), "../fixtures", "calendars") }
 
     before do
-      fixture_path = File.join(File.dirname(__FILE__), "../fixtures", "calendars")
       described_class.load_paths = [fixture_path, { "foobar" => dummy_calendar }]
     end
 
@@ -25,7 +25,10 @@
       after { described_class.load_paths = nil }
 
       it "loads the yaml file" do
-        expect(YAML).to receive(:load_file).with(/ecb\.yml$/).and_return({})
+        path = Pathname.new(fixture_path).join("ecb.yml")
+        expect(YAML).to receive(:safe_load).
+          with(path.read, permitted_classes: [Date]).
+          and_return({})
 
         load_calendar
       end

spec/fixtures/calendars/ecb.yml

@@ -6,7 +6,7 @@ working_days:
   - friday
 
 holidays:
-  - January 1st, 2013
+  - 2013-01-01
   - March 29th, 2013
   - April 1st, 2013
   - May 1st, 2013