Product SiteDocumentation Site

2.4.2. YAML.load

YAML is a popular serialization format among Ruby developers. Just like Marshal.load it can be used to deserialize most of the Ruby classes and also should never be used on untrusted data.

2.4.2.1. SafeYAML

Alternative approach is taken by SafeYAML gem - by default it allows deserialization of only few types of objects that can be considered safe, such as Hash, Array, String etc. When application requires serialization of certain types, developer can explicitly whitelist trusted types of objects:
SafeYAML.whitelist!(FrobDispenser, GobbleFactory)
This approach is more versatile, since it disables serialization of unsafe classes, yet allows developer to serialize know benign object. Requiring safe_yaml will patch method YAML.load.