PsychShield

[bf4]

have you seen https://github.com/rapid7/psych_shield ?

By default, Psych Shield allows the following types of objects:

Hash Array String Range
Numeric Fixnum Integer Bignum Float Rational Complex
Time DateTime
NilClass TrueClass FalseClass
To enable additional classes, add the stringified form using the "add" method:

PsychShield.add('MyClass::IsAwesome::And::Safe')
To disable all classes (even the defaults), use the clear method:

PsychShield.clear

[dtao]

I am aware of Psych Shield, yeah—are you just brining my attention, or is the purpose of this ticket to request that SafeYAML support this interface as well? Just trying to understand where you're coming from here.

[bf4]

Just bringing it your attention as FYI for reference. Is there a better way to do that? Thanks for working on safe_yaml!

[dtao]

Oh, ha, I have no idea. I've used GitHub forever but there are definitely still features I don't totally understand. I suppose in the absence of any private messaging feature, creating an issue is a perfectly valid way to communicate! Thanks for bringing this up—I've actually just added the ability to whitelist tags to SafeYAML, and I will probably enhance this with the ability to whitelist types directly (just like PsychShield). At this point I think SafeYAML has a few advantages over PsychShield:

• compatibility with Syck
• the ability to sanitize and deserialize documents with untrusted types (PsychShield will blow up)

That said, PsychShield is certainly simpler (its implementation is very clean) and may be more attractive as a super lightweight solution for some devs who are using Psych and don't want to bother sanitizing questionable YAML.

Thanks again!