From 09b269273a94bfe21d0651074f39226dd88777a4 Mon Sep 17 00:00:00 2001
From: Zach Gollwitzer <zach.gollwitzer@gmail.com>
Date: Fri, 1 Nov 2024 09:42:00 -0400
Subject: [PATCH] Safe load yaml files

---
 db/seeds/exchanges.rb | 7 ++++++-
 lib/money/currency.rb | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/db/seeds/exchanges.rb b/db/seeds/exchanges.rb
index 3e43d3b86b6..3f5cc39f8e0 100644
--- a/db/seeds/exchanges.rb
+++ b/db/seeds/exchanges.rb
@@ -1,5 +1,10 @@
 # Load exchanges from YAML configuration
-exchanges_config = YAML.load_file(Rails.root.join('config', 'exchanges.yml'))
+exchanges_config = YAML.safe_load(
+  File.read(Rails.root.join('config', 'exchanges.yml')),
+  permitted_classes: [],
+  permitted_symbols: [],
+  aliases: true
+)
 
 exchanges_config.each do |exchange|
   next unless exchange['mic'].present? # Skip any invalid entries
diff --git a/lib/money/currency.rb b/lib/money/currency.rb
index 47dbc077c0a..a515aeed903 100644
--- a/lib/money/currency.rb
+++ b/lib/money/currency.rb
@@ -23,7 +23,12 @@ def new(object)
     end
 
     def all
-      @all ||= YAML.load_file(CURRENCIES_FILE_PATH)
+      @all ||= YAML.safe_load(
+        File.read(CURRENCIES_FILE_PATH),
+        permitted_classes: [],
+        permitted_symbols: [],
+        aliases: true
+      )
     end
 
     def all_instances