If I only allow up to, say, 1MB of a completely untrusted YAML file to
be loaded, can I be certain that the possibly maliciously constructed
YAML cannot do anything dangerous (including executing unwanted code or
gulping too much memory) when being parsed?
Could someone point on how to extend yaml.rb to only accept certain
classes (like only Hash, Array, Numeric, String, NilClass, TrueClass,
FalseClass, and Symbol) to be loaded?
···
–
dave