Skip to content

Configuration: YAML anchors/aliases in .herb.yml raise Psych::AliasesNotEnabled #1631

Description

@matiasleidemer

Summary

Herb::Configuration#load_config calls YAML.safe_load_file without aliases: true, which raises Psych::AliasesNotEnabled at runtime when a project's .herb.yml uses YAML anchors and aliases — a common way to DRY up repeated rule definitions.

Reproduction

.herb.yml:

files:
  include: &patterns
    - "**/*.custom.erb"
  exclude: *patterns

Then:

require "herb"
Herb::Configuration.load(Dir.pwd)

Raises:

Psych::AliasesNotEnabled: Alias parsing was not enabled.
To enable it, pass `aliases: true` to `Psych::load` or `Psych::safe_load`.

This surfaces in any runtime that triggers Configuration.load — for example, when reactionview is installed with config.intercept_erb = true, every request renders a page that crashes with this error. Standalone bundle exec herb lint appears unaffected because it uses a different code path (presumably Psych's default load, which enables aliases).

Root cause

lib/herb/configuration.rb#L228:

user_config = YAML.safe_load_file(@config_path, permitted_classes: [Symbol]) || {}

Psych.safe_load defaults aliases to false to mitigate the "billion laughs" DoS, which is appropriate for untrusted YAML. But .herb.yml is developer-authored local config — same threat model as database.yml, credentials.yml, or .rubocop.yml, all of which enable aliases.

Proposed fix

Pass aliases: true to the YAML.safe_load_file call.

Affected versions

Reproduced on herb 0.9.5 and 0.9.6 (current latest).

Pull request

I've opened #1632 with the one-line fix plus a regression test covering anchor/alias loading.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions