From c6d10fe6e7ad91bcc878a5489c345d7817cc3d4e Mon Sep 17 00:00:00 2001
From: Tristan Starck <tstarck@invoca.com>
Date: Fri, 25 Mar 2022 13:43:32 -0700
Subject: [PATCH] use safe_load_file with only Regexp as permitted class

---
 CHANGELOG.md                              | 2 ++
 lib/process_settings/targeted_settings.rb | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index adb8a6a..631036a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ Note: this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0
 ## [0.20.0] - Unreleased
 ### Added
 - Added regular expressions capabilities to targeting. See [README.md](README.md#Regexp-Targeting) for usage examples.
+### Fixed
+- Use `Pysch.safe_load_file` over `Pysch.load_file` with `Regexp` as only permitted class.
 
 ## [0.19.0] - 2021-07-09
 ### Fixed
diff --git a/lib/process_settings/targeted_settings.rb b/lib/process_settings/targeted_settings.rb
index 5032fe6..f489902 100644
--- a/lib/process_settings/targeted_settings.rb
+++ b/lib/process_settings/targeted_settings.rb
@@ -73,7 +73,7 @@ def from_array(settings_array, only_meta: false)
       end
 
       def from_file(file_path, only_meta: false)
-        json_doc = Psych.load_file(file_path)
+        json_doc = Psych.safe_load_file(file_path, permitted_classes: [Regexp])
         from_array(json_doc, only_meta: only_meta)
       end
     end