Fixed vulnerability issue

Dev · Dev · commit dc793b3c2514 · 2024-05-22T11:15:05.000-07:00
diff --git a/lib/money/bank/variable_exchange.rb b/lib/money/bank/variable_exchange.rb
@@ -259,25 +259,26 @@ def rates
       #   bank.get_rate("USD", "CAD") #=> 1.24515
       #   bank.get_rate("CAD", "USD") #=> 0.803115
       def import_rates(format, s, opts = {})
-        raise Money::Bank::UnknownRateFormat unless RATE_FORMATS.include?(format)
-
-        if format == :ruby
-          warn '[WARNING] Using :ruby format when importing rates is potentially unsafe and ' \
-            'might lead to remote code execution via Marshal.load deserializer. Consider using ' \
-            'safe alternatives such as :json and :yaml.'
+      raise Money::bank::UnknownRateFormat unless RATE_FORMATS.include?(format)
+    
+      store.transaction do
+        data = case format
+        when :json
+          JSON.parse(s)
+        when :yaml
+          YAML.safe_load(s, permitted_classes: [BigDecimal, Date, Time], aliases: true)
+        else
+          raise Money::bank::UnknownRateFormat, "Unknown format: #{format}"
         end
-
-        store.transaction do
-          data = FORMAT_SERIALIZERS[format].load(s)
-
-          data.each do |key, rate|
-            from, to = key.split(SERIALIZER_SEPARATOR)
-            store.add_rate from, to, rate
-          end
+        
+        data.each do |key, rate|
+          from, to = key.split(SERIALIZER_SEPARATOR)
+          store.add_rate from, to, rate
         end
-
-        self
       end
+    
+      self
+    end
     end
   end
 end
