From dc793b3c25142c77960fcb7fadc74677aa5f0a3e Mon Sep 17 00:00:00 2001 From: Dev Date: Wed, 22 May 2024 11:15:05 -0700 Subject: [PATCH] Fixed vulnerability issue --- lib/money/bank/variable_exchange.rb | 33 +++++++++++++++-------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/lib/money/bank/variable_exchange.rb b/lib/money/bank/variable_exchange.rb index 1a7dbe4b83..673a037154 100644 --- a/lib/money/bank/variable_exchange.rb +++ b/lib/money/bank/variable_exchange.rb @@ -259,25 +259,26 @@ def rates # bank.get_rate("USD", "CAD") #=> 1.24515 # bank.get_rate("CAD", "USD") #=> 0.803115 def import_rates(format, s, opts = {}) - raise Money::Bank::UnknownRateFormat unless RATE_FORMATS.include?(format) - - if format == :ruby - warn '[WARNING] Using :ruby format when importing rates is potentially unsafe and ' \ - 'might lead to remote code execution via Marshal.load deserializer. Consider using ' \ - 'safe alternatives such as :json and :yaml.' + raise Money::bank::UnknownRateFormat unless RATE_FORMATS.include?(format) + + store.transaction do + data = case format + when :json + JSON.parse(s) + when :yaml + YAML.safe_load(s, permitted_classes: [BigDecimal, Date, Time], aliases: true) + else + raise Money::bank::UnknownRateFormat, "Unknown format: #{format}" end - - store.transaction do - data = FORMAT_SERIALIZERS[format].load(s) - - data.each do |key, rate| - from, to = key.split(SERIALIZER_SEPARATOR) - store.add_rate from, to, rate - end + + data.each do |key, rate| + from, to = key.split(SERIALIZER_SEPARATOR) + store.add_rate from, to, rate end - - self end + + self + end end end end