Use YAML.unsafe_load when available

[olleolleolle]

Informed by ruby/psych#533 (comment), this Issue notes the availability of the YAML.unsafe_load method, in Psych 4.0.

• use YAML.unsafe_load if available, OR
• use YAML.safe_load if available, enabling aliases and all the permitted classes
• use YAML.load if those methods aren't available (lower versions of Psych)

Location of use:
https://github.com/cschiewek/devise_ldap_authenticatable/blob/default/lib/devise_ldap_authenticatable/ldap/connection.rb

[schlumpfit]

Hi @olleolleolle,

it does not use unsafe_load, but should be compatible with psych <4 as well as with psych > 4. The solution is copied from rails...

#276

Edit: As a workaround I am just using gem 'psych', '< 4.0'

[net1957]

would be nice to have a new release with @schlumpfit proposal.
with ruby 3.0.4 this problem is present in multiples applications that are using yaml aliases

[Ivanov-Anton]

same problem

[Ivanov-Anton]

seems like this issue has already fixes in the psych repo follow the link below

ruby/psych#567

[net1957]

yes, but this gem was not modified to allow aliases

[Ivanov-Anton]

What do you suggest to me?

Maybe do not use aliases in the LDAP YML file? Or something else?

[net1957]

pass aliases: true to YAML.safe_load

see #276