Never use YAML.load with user input

Updated . Posted . Visible to the public.

You can get YAML.load to instantiate any Ruby object by embedding the desired class name into the YAML code. E.g. the following will create a new User object and set @email and @password to the given values:

--- !ruby/object:User
email: me@somewhere.com
password: secret

Considering the security implications, you should never trust YAML from untrusted sources. If you are looking for a simple, secure and readable data transfer format, use Object#to_json and JSON.parse.

Another way around YAML.load is YAML.safe_load Show archive.org snapshot if you're on Ruby >= 1.9.2.

Henning Koch
Last edit
Daniel Straßner
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra dev (2010-12-02 20:13)