Hi pabs, On 18:30 Wed 24 May , Paul Wise wrote: > On Wed, May 24, 2017 at 6:24 PM, Paul Wise wrote: > > > In Python/Perl YAML libraries there are ways to safely load YAML > > files, does Ruby not have the same possibilities? > > After a bit of searching, I wonder if copying the ruby-safe-yaml > package from wheezy-backports to wheezy and then patching puppet to > use that might be a good solution.
Just a couple of notes here: - Wheezy's Puppet is running under Ruby 1.8, which uses the old Syck YAML library. Ruby 1.9.3 and onwards uses Psych, which indeed provides a safe_load method. In short, YAML engine is something to be aware of. - YAML safe loading depends on deserializing only known-safe types. We need to make sure that this will not break the application. In theory it shouldn't, as the facts in 2.x are plain strings. Cheers, Apollon
