YAML should use safe_load throughout and support psych 4

Gemfile

@@ -12,7 +12,8 @@ gem 'rails', '~> 7.0.4', '>= 7.0.8.1'
 # Use old psych for YAML on Ruby 3.1 until we move to Rails 7.0.4
 # so that we can continue to use aliases in config/locales/en.yml
 # cf. https://stackoverflow.com/questions/71191685/visit-psych-nodes-alias-unknown-alias-default-psychbadalias
-gem 'psych', '3.3.2' # Exactly match the version on Ruby 3.0
+gem 'psych', '4.0.4' # Exactly match the version on Ruby 3.1
+gem 'stringio', '3.0.1.2' # psych dependency: exactly match the version on Ruby 3.1
 
 # Use postgresql as the database for Active Record
 gem 'pg', '~> 1.4.6' # All client instance have postgres version >= 9.3

Gemfile.lock

@@ -376,7 +376,8 @@ GEM
       method_source (~> 1.0)
     pry-rails (0.3.11)
       pry (>= 0.13.0)
-    psych (3.3.2)
+    psych (4.0.4)
+      stringio
     public_suffix (6.0.1)
     puma (6.4.3)
       nio4r (~> 2.0)
@@ -509,6 +510,7 @@ GEM
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       sprockets (>= 3.0.0)
+    stringio (3.0.1.2)
     terminal-notifier-guard (1.7.0)
     test-unit (3.6.2)
       power_assert
@@ -598,7 +600,7 @@ DEPENDENCIES
   possibly
   pry
   pry-rails
-  psych (= 3.3.2)
+  psych (= 4.0.4)
   puma (~> 6.0)
   puma-daemon
   rack-mini-profiler
@@ -609,6 +611,7 @@ DEPENDENCIES
   sass-rails
   simplecov
   spring
+  stringio (= 3.0.1.2)
   terminal-notifier-guard
   turbolinks (~> 5.x)
   web-console

config/attribute-map.yml

@@ -1,12 +1,8 @@
 # Maps attributes from IdP SAML response to SP user model fields.
 # See https://github.com/apokalipto/devise_saml_authenticatable for more.
-default: &default {}
+development: {}
 
-development:
-  <<: *default
-
-test:
-  <<: *default
+test: {}
 
 production:
   objectGuid: object_guid

lib/export/cancer_death_common.rb

@@ -151,7 +151,8 @@ def initialize(filename, e_type, ppats, filter = 'cd', ppatid_rowids: nil)
     # Load the required mapping file based on @batch.e_type
     def table_mapping
       mapping_file = 'cd_mapping.yml'
-      YAML.load_file(SafePath.new('mappings_config').join(mapping_file))['cd']
+      YAML.safe_load_file(SafePath.new('mappings_config').join(mapping_file),
+                          permitted_classes: [NdrImport::Table, Regexp, Symbol])['cd']
     end
 
     # Does this row match the current extract

lib/export/delimited_file.rb

@@ -59,7 +59,8 @@ def table_mapping
                        raise "No mapping found for #{@batch.e_type}"
                      end
 
-      YAML.load_file(SafePath.new('mappings_config').join(mapping_file))
+      YAML.safe_load_file(SafePath.new('mappings_config').join(mapping_file),
+                          permitted_classes: [NdrImport::Table, Regexp, Symbol])
     end
 
     # Header rows (including weird capitalisations of some fields)

lib/import/brca/core/brca_base.rb

@@ -117,7 +117,8 @@ def table_mapping
                          else
                            raise "No mapping found for #{@batch.e_type}"
                          end
-          YAML.load_file(SafePath.new('mappings_config').join(mapping_file))
+          YAML.safe_load_file(SafePath.new('mappings_config').join(mapping_file),
+                              permitted_classes: [NdrImport::Table, Regexp, Symbol])
         end
       end
     end

lib/import/delimited_file.rb

@@ -115,7 +115,8 @@ def table_mapping
                        raise "No mapping found for #{@batch.e_type}"
                      end
 
-      YAML.load_file(SafePath.new('mappings_config').join(mapping_file))
+      YAML.safe_load_file(SafePath.new('mappings_config').join(mapping_file),
+                          permitted_classes: [NdrImport::Table, Regexp, Symbol])
     end
 
     # Check that the mappings inherit NdrImport::Table