Never use YAML.load with user input

Updated . Posted . Visible to the public.

You can get YAML.load to instantiate any Ruby object by embedding the desired class name into the YAML code. E.g. the following will create a new User object and set @email and @password to the given values:

--- !ruby/object:User
email: me@somewhere.com
password: secret

Considering the security implications, you should never trust YAML from untrusted sources. If you are looking for a simple, secure and readable data transfer format, use Object#to_json and JSON.parse.

Another way around YAML.load is YAML.safe_load Show archive.org snapshot if you're on Ruby >= 1.9.2.

Profile picture of Henning Koch
Henning Koch
Last edit
Daniel Straßner
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra dev (2010-12-02 20:13)