@postmodern_mod3 is there any reason you aren't using SafeYAML with bundler-audit?
@postmodern_mod3 you "control" the YAML until there's another @homakov-style Github compromise ;)
-
-
@bascule@postmodern_mod3@homakov I don’t usually own repos, but when I do I put a noisy exploit in a YAML instead of backdooring the code -
@rantyben@postmodern_mod3@homakov call me crazy, but I would prefer my security tools close known attack vectors if possible :O -
@bascule@rantyben@homakov feel free to send me a pull request. I would prefer to use Psych.safe_load /cc@tenderlove. -
@bascule@rantyben@homakov@tenderlove unfortunately, MRI 2.1 is the only Ruby that includes Psych.safe_load. :( -
@postmodern_mod3@rantyben@homakov@tenderlove what about using YAML.parse? -
@bascule we could also use YAML.parse and explicitly coerce the nodes. That seems to be the most pragmatic solution. - 4 more replies
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.