Never use YAML.load with user input

You can get YAML.load to instantiate any Ruby object by embedding the desired class name into the YAML code. E.g. the following will create a new User object and set @email and @password to the given values:

--- !ruby/object:User
email: me@somewhere.com
password: secret

Considering the security implications, you should never trust YAML from untrusted sources. If you are looking for a simple, secure and readable data transfer format, use Object#to_json and JSON.parse.

Another way around YAML.load is YAML.safe_load Show archive.org snapshot if you're on Ruby >= 1.9.2.

Henning Koch Over 13 years ago
This website uses short-lived cookies to improve usability.
or learn more