New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PsychShield #22

Closed
bf4 opened this Issue Feb 13, 2013 · 3 comments

Comments

Projects
None yet
2 participants
@bf4

bf4 commented Feb 13, 2013

have you seen https://github.com/rapid7/psych_shield ?

By default, Psych Shield allows the following types of objects:

Hash Array String Range
Numeric Fixnum Integer Bignum Float Rational Complex
Time DateTime
NilClass TrueClass FalseClass
To enable additional classes, add the stringified form using the "add" method:

PsychShield.add('MyClass::IsAwesome::And::Safe')
To disable all classes (even the defaults), use the clear method:

PsychShield.clear

@dtao

This comment has been minimized.

Owner

dtao commented Feb 13, 2013

I am aware of Psych Shield, yeah—are you just brining my attention, or is the purpose of this ticket to request that SafeYAML support this interface as well? Just trying to understand where you're coming from here.

@bf4

This comment has been minimized.

bf4 commented Feb 13, 2013

Just bringing it your attention as FYI for reference. Is there a better way to do that? Thanks for working on safe_yaml!

@dtao

This comment has been minimized.

Owner

dtao commented Feb 17, 2013

Oh, ha, I have no idea. I've used GitHub forever but there are definitely still features I don't totally understand. I suppose in the absence of any private messaging feature, creating an issue is a perfectly valid way to communicate! Thanks for bringing this up—I've actually just added the ability to whitelist tags to SafeYAML, and I will probably enhance this with the ability to whitelist types directly (just like PsychShield). At this point I think SafeYAML has a few advantages over PsychShield:

  • compatibility with Syck
  • the ability to sanitize and deserialize documents with untrusted types (PsychShield will blow up)

That said, PsychShield is certainly simpler (its implementation is very clean) and may be more attractive as a super lightweight solution for some devs who are using Psych and don't want to bother sanitizing questionable YAML.

Thanks again!

@dtao dtao closed this Feb 17, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment