[ruby/rubygems] Refactor validate_tag! to enforce permitted_classes consistently with Psych

hsbt · claude · matzbot · commit 60e8042e6912 · 2026-03-17T00:21:54.000Z
Align YAMLSerializer's `permitted_classes` validation with Psych's whitelist semantics: an empty `permitted_classes` list denies all tagged classes, matching `Psych::ClassLoader::Restricted` behavior. - Rename `@permitted_tags` to `@permitted_classes` and simplify initialization - Extract `raise_disallowed_class!` from `validate_tag!` for clarity - Move `check_anchor!` before `validate_tag!` in `build_mapping` - Add test for `Gem::Version::Requirement` tag used by old gems like `escape` ruby/rubygems@3c5855e833 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/lib/rubygems/yaml_serializer.rb b/lib/rubygems/yaml_serializer.rb
@@ -423,9 +423,7 @@ class Builder
       MAX_ALIAS_RESOLUTIONS = 1_000
 
       def initialize(permitted_classes: [], permitted_symbols: [], aliases: true)
-        @permitted_tags = Array(permitted_classes).map do |c|
-          "!ruby/object:#{c.is_a?(Module) ? c.name : c}"
-        end
+        @permitted_classes = permitted_classes.map {|c| "!ruby/object:#{c}" }
         @permitted_symbols = permitted_symbols
         @aliases = aliases
         @anchor_values = {}
@@ -474,8 +472,8 @@ def store_anchor(name, value)
       end
 
       def build_mapping(node)
-        validate_tag!(node.tag) if node.tag
         check_anchor!(node)
+        validate_tag!(node.tag) if node.tag
 
         result = case node.tag
                  when "!ruby/object:Gem::Version"
@@ -605,12 +603,15 @@ def pairs_to_hash(node)
       end
 
       def validate_tag!(tag)
-        unless @permitted_tags.include?(tag)
-          if defined?(Psych::VERSION)
-            raise Psych::DisallowedClass.new("load", tag)
-          else
-            raise Psych::DisallowedClass, "Tried to load unspecified class: #{tag}"
-          end
+        return if @permitted_classes.include?(tag)
+        raise_disallowed_class!(tag)
+      end
+
+      def raise_disallowed_class!(tag)
+        if defined?(Psych::VERSION)
+          raise Psych::DisallowedClass.new("load", tag)
+        else
+          raise Psych::DisallowedClass, "Tried to load unspecified class: #{tag}"
         end
       end
 
diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb
@@ -1216,4 +1216,24 @@ def test_binary_tag_decoded_in_sequence_item_inline
     result = yaml_load(yaml)
     assert_equal ["SHA1"], result
   end
+
+  def test_version_requirement_tag_always_permitted
+    yaml = <<~YAML
+      --- !ruby/object:Gem::Specification
+      name: escape
+      version: !ruby/object:Gem::Version
+        version: 0.0.4
+      required_ruby_version: !ruby/object:Gem::Version::Requirement
+        requirements:
+        - - ">"
+          - !ruby/object:Gem::Version
+            version: 0.0.0
+        version:
+    YAML
+
+    result = yaml_load(yaml)
+    assert_kind_of Gem::Specification, result
+    assert_equal "escape", result.name
+    assert_kind_of Gem::Requirement, result.required_ruby_version
+  end
 end
