TIL most popular languages' yaml libraries *intentionally* allow arbitrary code execution. WTF. https://arp242.net/weblog/yaml_probably_not_so_great_after_all.html …
It's not. Data formats that embed code code to be executed in the privilege context of the processing user are SO far across the line of what's acceptable you just assume it wouldn't happen in anything but ancient legacy formats (eg Word macros).
-
-
my experience in the Ruby community is that YAML is touted as the interoperable equivalent of Python's Pickle or Ruby's Marshal, in that it magically serializes and deserializes arbitrary objects (and brings security risks with that)
-
"Deserializes arbitrary objects" is a bug in itself, but IME yaml is just an obnoxious alternative *data format* to json and xml, containing untrusted data, not a pickle-hell-wannabe.
-
understood, but i'm talking about my experience in terms of the Ruby community. although that perspective of YAML is clearly influenced by the dangerous API design (i.e. load/safe_load instead of unsafe_load/load)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.