From 2dbbbfd71a5eb71d56ed5c93d3451daa7ac545e1 Mon Sep 17 00:00:00 2001 From: hablnu Date: Mon, 8 Jun 2026 14:11:24 +0530 Subject: [PATCH 1/2] GENAI| fix: replace unsafe YAML deserialization with safe_load methods Prevent RCE attacks by using YAML.safe_load instead of YAML.load in LogHelper.rb (lines 13, 20) --- lib/authorize_net/api/LogHelper.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/authorize_net/api/LogHelper.rb b/lib/authorize_net/api/LogHelper.rb index 4702fe7..756599d 100644 --- a/lib/authorize_net/api/LogHelper.rb +++ b/lib/authorize_net/api/LogHelper.rb @@ -10,7 +10,7 @@ def initialize() begin filepath = './LogConfig.yml' if(File.file?(filepath)) - cnf = YAML::load(File.open(filepath)) + cnf = YAML.safe_load(File.open(filepath)) if(@@loglevels.include? cnf['loglevel'].downcase) @@shouldLog = true @logger = Logger.new(cnf['filepath']) @@ -18,7 +18,7 @@ def initialize() if(cnf['maskSensitiveData']) @logger.formatter = SensitiveDataFilter.new else - constants = YAML.load_file(File.dirname(__FILE__) + "/constants.yml") + constants = YAML.safe_load_file(File.dirname(__FILE__) + "/constants.yml") @logger.formatter = proc do |severity, datetime, progname, msg| progname = constants['clientId'] date_format = datetime.strftime("%Y-%m-%d %H:%M:%S") From a3d8eb7e927dfa4988c2c16e99d9c97c0262a532 Mon Sep 17 00:00:00 2001 From: hablnu Date: Mon, 8 Jun 2026 16:29:14 +0530 Subject: [PATCH 2/2] GENAI=YES| fix: security issue --- lib/authorize_net/api/SensitiveDataFilter.rb | 2 +- lib/authorize_net/api/api_transaction.rb | 2 +- spec/support/shared_helper.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/authorize_net/api/SensitiveDataFilter.rb b/lib/authorize_net/api/SensitiveDataFilter.rb index 07c2301..a8addf2 100644 --- a/lib/authorize_net/api/SensitiveDataFilter.rb +++ b/lib/authorize_net/api/SensitiveDataFilter.rb @@ -79,7 +79,7 @@ def maskSensitiveXmlString(input) end def formatLogEntry(severity, time, progname, msg) - constants = YAML.load_file(File.dirname(__FILE__) + "/constants.yml") + constants = YAML.safe_load_file(File.dirname(__FILE__) + "/constants.yml") progname = constants['clientId'] date_format = time.strftime("%Y-%m-%d %H:%M:%S") if severity == "INFO" or severity == "WARN" diff --git a/lib/authorize_net/api/api_transaction.rb b/lib/authorize_net/api/api_transaction.rb index ae6def9..11f648a 100644 --- a/lib/authorize_net/api/api_transaction.rb +++ b/lib/authorize_net/api/api_transaction.rb @@ -85,7 +85,7 @@ def make_request(request, responseClass, type) def serialize(object, type) doc = Nokogiri::XML::Document.new doc.root = object.to_xml - constants = YAML.load_file(File.dirname(__FILE__) + "/constants.yml") + constants = YAML.safe_load_file(File.dirname(__FILE__) + "/constants.yml") clientId = constants['clientId'] builder = Nokogiri::XML::Builder.new(encoding: 'utf-8') do |x| diff --git a/spec/support/shared_helper.rb b/spec/support/shared_helper.rb index a1fd91e..4bd44e8 100644 --- a/spec/support/shared_helper.rb +++ b/spec/support/shared_helper.rb @@ -3,7 +3,7 @@ module SharedHelper def credentials - $credentials ||= YAML.load(ERB.new(File.read "#{__dir__}/../credentials.yml").result) + $credentials ||= YAML.safe_load(ERB.new(File.read "#{__dir__}/../credentials.yml").result) rescue Errno::ENOENT warn "WARNING: Running w/o valid AuthorizeNet sandbox credentials. Create spec/credentials.yml." end