Summary
Herb::Configuration#load_config calls YAML.safe_load_file without aliases: true, which raises Psych::AliasesNotEnabled at runtime when a project's .herb.yml uses YAML anchors and aliases — a common way to DRY up repeated rule definitions.
Reproduction
.herb.yml:
files:
include: &patterns
- "**/*.custom.erb"
exclude: *patterns
Then:
require "herb"
Herb::Configuration.load(Dir.pwd)
Raises:
Psych::AliasesNotEnabled: Alias parsing was not enabled.
To enable it, pass `aliases: true` to `Psych::load` or `Psych::safe_load`.
This surfaces in any runtime that triggers Configuration.load — for example, when reactionview is installed with config.intercept_erb = true, every request renders a page that crashes with this error. Standalone bundle exec herb lint appears unaffected because it uses a different code path (presumably Psych's default load, which enables aliases).
Root cause
lib/herb/configuration.rb#L228:
user_config = YAML.safe_load_file(@config_path, permitted_classes: [Symbol]) || {}
Psych.safe_load defaults aliases to false to mitigate the "billion laughs" DoS, which is appropriate for untrusted YAML. But .herb.yml is developer-authored local config — same threat model as database.yml, credentials.yml, or .rubocop.yml, all of which enable aliases.
Proposed fix
Pass aliases: true to the YAML.safe_load_file call.
Affected versions
Reproduced on herb 0.9.5 and 0.9.6 (current latest).
Pull request
I've opened #1632 with the one-line fix plus a regression test covering anchor/alias loading.
Summary
Herb::Configuration#load_configcallsYAML.safe_load_filewithoutaliases: true, which raisesPsych::AliasesNotEnabledat runtime when a project's.herb.ymluses YAML anchors and aliases — a common way to DRY up repeated rule definitions.Reproduction
.herb.yml:Then:
Raises:
This surfaces in any runtime that triggers
Configuration.load— for example, when reactionview is installed withconfig.intercept_erb = true, every request renders a page that crashes with this error. Standalonebundle exec herb lintappears unaffected because it uses a different code path (presumably Psych's defaultload, which enables aliases).Root cause
lib/herb/configuration.rb#L228:Psych.safe_loaddefaultsaliasestofalseto mitigate the "billion laughs" DoS, which is appropriate for untrusted YAML. But.herb.ymlis developer-authored local config — same threat model asdatabase.yml,credentials.yml, or.rubocop.yml, all of which enable aliases.Proposed fix
Pass
aliases: trueto theYAML.safe_load_filecall.Affected versions
Reproduced on
herb0.9.5 and 0.9.6 (current latest).Pull request
I've opened #1632 with the one-line fix plus a regression test covering anchor/alias loading.