[SECURITY] Change the default to be secure by default

[JLLeitschuh]

Hi!

Security researcher here looking into YAML parsers across the industry. Why is it that this YAML parser is insecure-by-default? Why not make it secure-by-default and then allow end-users to opt-in to the insecure variant similar to how the ruby standard library handles it currently.

[hsbt]

?

I didn't understand you say "Why is it that this YAML parser is insecure-by-default?". Please explanation it with Ruby's yaml parser.

[JLLeitschuh]

The underlying parser for this gem is using the unsafe_load method by default, which has arbitrary deserialization vulnerabilities.

yaml/lib/yaml/store.rb

Lines 67 to 74 in a03d840

	def load(content)
	table = YAML.unsafe_load(content)
	if table == false
	{}
	else
	table
	end
	end

There is also the line in the README:

Do not use YAML to load untrusted data. Doing so is unsafe and could allow malicious input to execute arbitrary code inside your application.

The YAML standard library also has a safe_load method, why not use that by-default instead of the insecure variant?

[hsbt]

It's only used by YAML::Store like PStore usage, not the default YAML parser. And There is no reason why it still use unsafe_load. I welcome to your pull-request.

[JLLeitschuh]

Pull request contributed

[hsbt]

I fixed this at #40 and #41