Prefer safe_load and deep_symbolize_keys

lib/gitlab/metrics/dashboard/processor.rb

@@ -21,13 +21,12 @@ module Gitlab
 
         # Returns a new dashboard hash with the results of
         # running transforms on the dashboard.
-        def process(dashboard)
-          dashboard = dashboard.deep_symbolize_keys
-
-          stage_params = [@project, @environment]
-          sequence.each { |stage| stage.new(*stage_params).transform!(dashboard) }
-
-          dashboard
+        def process(raw_dashboard)
+          raw_dashboard.deep_symbolize_keys.tap do |dashboard|
+            sequence.each do |stage|
+              stage.new(@project, @environment).transform!(dashboard)
+            end
+          end
         end
 
         private

lib/gitlab/metrics/dashboard/service.rb

@@ -23,7 +23,7 @@ module Gitlab
 
         # Returns the base metrics shipped with every GitLab service.
         def system_dashboard
-          YAML.load_file(SYSTEM_DASHBOARD_PATH)
+          YAML.safe_load(File.read(SYSTEM_DASHBOARD_PATH))
         end
 
         def cache_key
@@ -32,7 +32,7 @@ module Gitlab
 
         # Returns a new dashboard Hash, supplemented with DB info
         def process_dashboard(dashboard)
-          Processor.new(project, params[:environment]).process(dashboard)
+          Gitlab::Metrics::Dashboard::Processor.new(project, params[:environment]).process(dashboard)
         end
       end
     end

spec/controllers/projects/environments_controller_spec.rb

@@ -485,7 +485,7 @@ describe Projects::EnvironmentsController do
 
       context 'when the dashboard could not be provided' do
         before do
-          allow(YAML).to receive(:load_file).and_return({})
+          allow(YAML).to receive(:safe_load).and_return({})
         end
 
         it 'returns an error response' do

spec/lib/gitlab/metrics/dashboard/service_spec.rb

@@ -19,7 +19,7 @@ describe Gitlab::Metrics::Dashboard::Service, :use_clean_rails_memory_store_cach
     end
 
     it 'caches the dashboard for subsequent calls' do
-      expect(YAML).to receive(:load_file).once.and_call_original
+      expect(YAML).to receive(:safe_load).once.and_call_original
 
       described_class.new(project, environment).get_dashboard
       described_class.new(project, environment).get_dashboard
@@ -27,7 +27,7 @@ describe Gitlab::Metrics::Dashboard::Service, :use_clean_rails_memory_store_cach
 
     context 'when the dashboard is configured incorrectly' do
       before do
-        allow(YAML).to receive(:load_file).and_return({})
+        allow(YAML).to receive(:safe_load).and_return({})
       end
 
       it 'returns an appropriate message and status code' do