Add latest changes from gitlab-org/gitlab@master

.rubocop_todo.yml

@@ -638,16 +638,6 @@ Rails/WhereEquals:
 Rails/WhereExists:
   Enabled: false
 
-# Offense count: 8
-# Cop supports --auto-correct.
-Security/YAMLLoad:
-  Exclude:
-    - 'lib/gitlab/redis/wrapper.rb'
-    - 'lib/system_check/incoming_email/imap_authentication_check.rb'
-    - 'spec/config/mail_room_spec.rb'
-    - 'spec/initializers/secret_token_spec.rb'
-    - 'spec/lib/gitlab/prometheus/additional_metrics_parser_spec.rb'
-
 # Offense count: 240
 # Cop supports --auto-correct.
 # Configuration parameters: EnforcedStyle.

changelogs/unreleased/pl-rubocop-todo-yaml-load.yml

@@ -0,0 +1,5 @@
+---
+title: Resolves offenses Security/YAMLLoad
+merge_request: 58042
+author: Shubham Kumar (@imskr)
+type: fixed

lib/gitlab/redis/wrapper.rb

@@ -142,7 +142,7 @@ module Gitlab
       def fetch_config
         return false unless self.class._raw_config
 
-        yaml = YAML.load(self.class._raw_config)
+        yaml = YAML.safe_load(self.class._raw_config)
 
         # If the file has content but it's invalid YAML, `load` returns false
         if yaml

lib/system_check/incoming_email/imap_authentication_check.rb

@@ -52,7 +52,7 @@ module SystemCheck
       def load_config
         erb = ERB.new(File.read(mail_room_config_path))
         erb.filename = mail_room_config_path
-        config_file = YAML.load(erb.result)
+        config_file = YAML.safe_load(erb.result)
 
         config_file[:mailboxes]
       end

spec/config/mail_room_spec.rb

@@ -21,7 +21,7 @@ RSpec.describe 'mail_room.yml' do
     status = result.status
     raise "Error interpreting #{mailroom_config_path}: #{output}" unless status == 0
 
-    YAML.load(output)
+    YAML.safe_load(output, permitted_classes: [Symbol])
   end
 
   before do

spec/initializers/secret_token_spec.rb

@@ -84,7 +84,7 @@ RSpec.describe 'create_tokens' do
 
       it 'writes the secrets to secrets.yml' do
         expect(File).to receive(:write).with('config/secrets.yml', any_args) do |filename, contents, options|
-          new_secrets = YAML.load(contents)[Rails.env]
+          new_secrets = YAML.safe_load(contents)[Rails.env]
 
           expect(new_secrets['secret_key_base']).to eq(secrets.secret_key_base)
           expect(new_secrets['otp_key_base']).to eq(secrets.otp_key_base)
@@ -179,7 +179,7 @@ RSpec.describe 'create_tokens' do
 
         it 'uses the file secret' do
           expect(File).to receive(:write) do |filename, contents, options|
-            new_secrets = YAML.load(contents)[Rails.env]
+            new_secrets = YAML.safe_load(contents)[Rails.env]
 
             expect(new_secrets['secret_key_base']).to eq('file_key')
             expect(new_secrets['otp_key_base']).to eq('file_key')

spec/lib/gitlab/prometheus/additional_metrics_parser_spec.rb

@@ -35,7 +35,7 @@ RSpec.describe Gitlab::Prometheus::AdditionalMetricsParser do
       end
 
       before do
-        allow(described_class).to receive(:load_yaml_file) { YAML.load(sample_yaml) }
+        allow(described_class).to receive(:load_yaml_file) { YAML.safe_load(sample_yaml) }
       end
 
       it 'parses to two metric groups with 2 and 1 metric respectively' do
@@ -71,7 +71,7 @@ RSpec.describe Gitlab::Prometheus::AdditionalMetricsParser do
     shared_examples 'required field' do |field_name|
       context "when #{field_name} is nil" do
         before do
-          allow(described_class).to receive(:load_yaml_file) { YAML.load(field_missing) }
+          allow(described_class).to receive(:load_yaml_file) { YAML.safe_load(field_missing) }
         end
 
         it 'throws parsing error' do
@@ -81,7 +81,7 @@ RSpec.describe Gitlab::Prometheus::AdditionalMetricsParser do
 
       context "when #{field_name} are not specified" do
         before do
-          allow(described_class).to receive(:load_yaml_file) { YAML.load(field_nil) }
+          allow(described_class).to receive(:load_yaml_file) { YAML.safe_load(field_nil) }
         end
 
         it 'throws parsing error' do