Just use YAML.safe_load and assume the format

should be correct since it's already passing the
validation anyway.

Feedback:
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8088#note_20076187
This commit is contained in:
Lin Jen-Shin 2016-12-15 23:37:22 +08:00
parent e682e2f888
commit bcc09ca760
2 changed files with 3 additions and 44 deletions

View file

@ -10,36 +10,16 @@ module Gitlab
def load(string) def load(string)
return unless string return unless string
object = YAML.load(string) object = YAML.safe_load(string, [Symbol])
# We don't need to verify the object once we're using SafeYAML object.map(&YamlVariables.method(:convert_key_value_to_string))
if YamlVariables.verify_object(object)
YamlVariables.convert_object(object)
else
[]
end
end end
def dump(object) def dump(object)
YAML.dump(object) YAML.dump(object)
end end
def verify_object(object) private
YamlVariables.verify_type(object, Array) &&
object.all? { |obj| YamlVariables.verify_type(obj, Hash) }
end
# We use three ways to check if the class is exactly the one we want,
# rather than some subclass or duck typing class.
def verify_type(object, klass)
object.kind_of?(klass) &&
object.class == klass &&
klass === object
end
def convert_object(object)
object.map(&YamlVariables.method(:convert_key_value_to_string))
end
def convert_key_value_to_string(variable) def convert_key_value_to_string(variable)
variable[:key] = variable[:key].to_s variable[:key] = variable[:key].to_s

View file

@ -16,25 +16,4 @@ describe Gitlab::Serialize::YamlVariables do
{ key: 'key', value: 'value', public: true }, { key: 'key', value: 'value', public: true },
{ key: 'wee', value: '1', public: false }]) { key: 'wee', value: '1', public: false }])
end end
context 'with a subclass of Array' do
let(:object) do
Kaminari::PaginatableArray.new << 'I am evil'
end
it 'ignores it' do
is_expected.to eq([])
end
end
context 'with the array containing subclasses of Hash' do
let(:object) do
[ActiveSupport::OrderedOptions.new(
key: 'key', value: 'value', public: true)]
end
it 'ignores it' do
is_expected.to eq([])
end
end
end end