Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PsychShield #22

Closed
bf4 opened this issue Feb 13, 2013 · 3 comments
Closed

PsychShield #22

bf4 opened this issue Feb 13, 2013 · 3 comments

Comments

@bf4
Copy link

@bf4 bf4 commented Feb 13, 2013

have you seen https://github.com/rapid7/psych_shield ?

By default, Psych Shield allows the following types of objects:

Hash Array String Range
Numeric Fixnum Integer Bignum Float Rational Complex
Time DateTime
NilClass TrueClass FalseClass
To enable additional classes, add the stringified form using the "add" method:

PsychShield.add('MyClass::IsAwesome::And::Safe')
To disable all classes (even the defaults), use the clear method:

PsychShield.clear

@dtao
Copy link
Owner

@dtao dtao commented Feb 13, 2013

I am aware of Psych Shield, yeah—are you just brining my attention, or is the purpose of this ticket to request that SafeYAML support this interface as well? Just trying to understand where you're coming from here.

@bf4
Copy link
Author

@bf4 bf4 commented Feb 13, 2013

Just bringing it your attention as FYI for reference. Is there a better way to do that? Thanks for working on safe_yaml!

@dtao
Copy link
Owner

@dtao dtao commented Feb 17, 2013

Oh, ha, I have no idea. I've used GitHub forever but there are definitely still features I don't totally understand. I suppose in the absence of any private messaging feature, creating an issue is a perfectly valid way to communicate! Thanks for bringing this up—I've actually just added the ability to whitelist tags to SafeYAML, and I will probably enhance this with the ability to whitelist types directly (just like PsychShield). At this point I think SafeYAML has a few advantages over PsychShield:

  • compatibility with Syck
  • the ability to sanitize and deserialize documents with untrusted types (PsychShield will blow up)

That said, PsychShield is certainly simpler (its implementation is very clean) and may be more attractive as a super lightweight solution for some devs who are using Psych and don't want to bother sanitizing questionable YAML.

Thanks again!

@dtao dtao closed this Feb 17, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants