clj-yaml icon indicating copy to clipboard operation
clj-yaml copied to clipboard

Published 20 hours ago verified publisher icon lancepantz

Don't load arbitrary objects.

Open startling opened this issue 10 years ago • 3 comments

snakeyaml allows the creation of arbitrary Java objects. This is usually a Bad Thing. These commits add an option key to make-yaml, :unsafe, and uses SafeConstructor by default.

(See also #10).

startling avatar Mar 26 '14 06:03 startling

:+1: to using the SafeConstructor

https://code.google.com/p/snakeyaml/source/browse/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java

https://code.google.com/p/snakeyaml/source/browse/src/test/java/examples/SafeConstructorExampleTest.java

See http://blogs.teamb.com/craigstuntz/2013/02/04/38738/

espeed avatar Apr 30 '14 05:04 espeed

Glad you like it!

For what it's worth, this library is apparently unmaintained; we've forked it and applied our fixes and some other changes at circleci/clj-yaml.

startling avatar Apr 30 '14 08:04 startling

@startling thanks for heads up!

espeed avatar Apr 30 '14 20:04 espeed