Is there an equivalent to yaml.safe_load in Ruby?

Question

Is there an equivalent to yaml.safe_load in Ruby?

Rather, the high-profile security vulnerability in Rails recently highlighted the potential danger of parsing the user-provided YAML in a Ruby application.

A quick Google search reveals that the YAML Python Library includes the safe_load method, which will only deserialize "simple Python objects, such as integers or lists," rather than objects of any arbitrary type.

Does Ruby have an equivalent? Is there a way to safely accept YAML input in a Ruby application without manually writing a custom parser?

+4

python security ruby yaml

Dan tao Jan 15 '13 at 23:01

source share

2 answers

Following Jim’s advice , I went ahead and wrote safe_yaml , a gem that adds the YAML.safe_load method and uses Psych inside for a heavy lift.

+6

Dan tao Jan 17 '13 at 14:49

source share

Jim deville · Accepted Answer · 2013-01-15T23:14:38+0000

Using the lower-level interfaces for Psych (the actual parser engine), you can access lower-level structures without converting them to Ruby objects one by one (see http://rubydoc.info/stdlib/psych/Psych/Parser ). It is not as simple as safe_load , but it provides a route for this.

Syck and Psych may have other parameters that are more direct, such as safe_load .

Is there an equivalent to yaml.safe_load in Ruby?

More articles: