fix(security): replace IO.read with File.read (#378)

pkuczynski · web-flow · commit e0bf18fab4fe · 2025-07-11T17:44:55.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,12 @@
 # Changelog
 
+## Next
+
+* fix(security): replace IO.read with File.read [#378](https://github.com/rubyconfig/config/pull/378)
+
 ## 5.6.0
 
-* Added `extra_sources` in initializer  ([#366](https://github.com/rubyconfig/config/pull/366))
+* Added `extra_sources` in initializer ([#366](https://github.com/rubyconfig/config/pull/366))
 
 ## 5.5.2
 
diff --git a/lib/config/sources/yaml_source.rb b/lib/config/sources/yaml_source.rb
@@ -15,7 +15,7 @@ def initialize(path, evaluate_erb: Config.evaluate_erb_in_yaml)
       # returns a config hash from the YML file
       def load
         if @path and File.exist?(@path)
-          file_contents = IO.read(@path)
+          file_contents = File.read(@path)
           file_contents = ERB.new(file_contents).result if evaluate_erb
           result = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(file_contents) : YAML.load(file_contents)
         end
diff --git a/spec/support/rails_helper.rb b/spec/support/rails_helper.rb
@@ -5,7 +5,7 @@
 # Loads ENV vars from a yaml file
 def load_env(filename)
   if filename and File.exist?(filename.to_s)
-    result = YAML.load(ERB.new(IO.read(filename.to_s)).result)
+    result = YAML.load(ERB.new(File.read(filename.to_s)).result)
   end
   result.each { |key, value| ENV[key.to_s] = value.to_s } unless result.nil?
 end
