From 06e435fd84bec4897c5d2fe56b25a690ee8b680b Mon Sep 17 00:00:00 2001
From: Alex Ford <alexrford@github.com>
Date: Mon, 26 Sep 2022 11:26:30 +0100
Subject: [PATCH] Ruby: remove YAML.load_file arg0 as an unsafe deserialization
 sink

---
 .../ruby/security/UnsafeDeserializationCustomizations.qll  | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
index dfe448e7b5b..517ba6fa700 100644
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
@@ -48,16 +48,13 @@ module UnsafeDeserialization {
   }
 
   /**
-   * An argument in a call to `YAML.load` or `YAML.load_file`, considered a sink
+   * An argument in a call to `YAML.load`, considered a sink
    * for unsafe deserialization. The `YAML` module is an alias of `Psych` in
    * recent versions of Ruby.
    */
   class YamlLoadArgument extends Sink {
     YamlLoadArgument() {
-      this =
-        API::getTopLevelMember(["YAML", "Psych"])
-            .getAMethodCall(["load", "load_file"])
-            .getArgument(0)
+      this = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("load").getArgument(0)
     }
   }