Address security issues with eval and YAML.load

.rubocop_todo.yml

@@ -270,17 +270,6 @@ RSpec/SubjectStub:
     - 'spec/whois/parser_extensions/record_spec.rb'
     - 'spec/whois/safe_record_spec.rb'
 
-# Offense count: 1
-Security/Eval:
-  Exclude:
-    - 'spec/whois/parser_extensions/whois_spec.rb'
-
-# Offense count: 1
-# This cop supports unsafe autocorrection (--autocorrect-all).
-Security/YAMLLoad:
-  Exclude:
-    - 'lib/whois/scanners/whois.smallregistry.net.rb'
-
 # Offense count: 4
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle.

CHANGELOG.md

@@ -5,7 +5,9 @@ This project uses [Semantic Versioning 2.0.0](http://semver.org/).
 
 #### master
 
-- CHANGED: Minimum Ruby version 2.3
+- CHANGED: Minimum Ruby version 2.6
+
+- FIXED: Addressed security issues with eval and YAML.load. Thanks Francis Beaudoin
 
 
 #### Release 1.2.0

lib/whois/parsers/whois.dns.lu.rb

@@ -94,18 +94,18 @@ class WhoisDnsLu < Base
       private
 
       def build_contact(element, type)
-        if name = value_for_key('%s-name' % element)
-          Parser::Contact.new(
-              type:         type,
-              id:           nil,
-              name:         name,
-              address:      value_for_key('%s-address' % element),
-              city:         value_for_key('%s-city' % element),
-              zip:          value_for_key('%s-zipcode' % element),
-              country_code: value_for_key('%s-country' % element),
-              email:        value_for_key('%s-email' % element)
-          )
-        end
+        return unless (name = value_for_key(format("%s-name", element)))
+
+        Parser::Contact.new(
+            type:         type,
+            id:           nil,
+            name:         name,
+            address:      value_for_key(format("%s-address", element)),
+            city:         value_for_key(format("%s-city", element)),
+            zip:          value_for_key(format("%s-zipcode", element)),
+            country_code: value_for_key(format("%s-country", element)),
+            email:        value_for_key(format("%s-email", element))
+        )
       end
 
       def value_for_key(key)

lib/whois/scanners/base_iisse.rb

@@ -23,7 +23,9 @@ class BaseIisse < Base
       tokenizer :scan_disclaimer do
         if @input.match?(/# Copyright/)
           lines = []
-          lines << @input[1].strip unless @input[1].strip == "" while @input.scan(/#(.*)\n\n?/)
+          while @input.scan(/#(.*)\n\n?/) # rubocop:disable Style/WhileUntilModifier
+            lines << @input[1].strip if @input[1].strip != ""
+          end
           @ast["field:disclaimer"] = lines.join(" ")
         end
       end

lib/whois/scanners/whois.denic.de.rb

@@ -34,7 +34,9 @@ class WhoisDenicDe < Base
         if @input.match?(/% Copyright \(c\) *\d{4} by DENIC\n/)
           @input.scan_until(/% Terms and Conditions of Use\n/)
           lines = []
-          lines << @input[1].strip unless @input[1].strip == "" while @input.match?(/%/) && @input.scan(/%(.*)\n/)
+          while @input.match?(/%/) && @input.scan(/%(.*)\n/) # rubocop:disable Style/WhileUntilModifier
+            lines << @input[1].strip unless @input[1].strip == ""
+          end
           @ast["Disclaimer"] = lines.join(" ")
         end
       end

lib/whois/scanners/whois.smallregistry.net.rb

@@ -41,7 +41,7 @@ class WhoisSmallregistryNet < Base
       tokenizer :scan_body do
         str = @input.rest
         str.gsub!(/ (!\w+) \n/, " \n") # remove custom types
-        @ast.merge! YAML.load(str)
+        @ast.merge! YAML.safe_load(str)
         @input.terminate
       end
 

spec/whois/parser_extensions/whois_spec.rb

@@ -4,7 +4,7 @@
 
   class Whois::Parsers::ParserTest < Whois::Parsers::Base
     property_supported :available? do
-      eval(content_for_scanner)
+      content_for_scanner == "1 == 1"
     end
     property_supported :registered? do
       !available?