Nothing too major about how it’s usually used, but the yaml spec does allow arbitrary code execution when parsing a file and relies on the parser to have that feature disabled: https://en.m.wikipedia.org/wiki/YAML#Security
That’s why for python, yaml.save_load() is a thing. That’s fine for your local config files and may even be a feature for you, but it shouldn’t be used to exchange information between services.
YAML?? (╯°□°)╯︵ ┻━┻)
what: is: your: - problem - with: YAML # At least you can have comments unlike in json. Who need comments in a config file anyway.Nothing too major about how it’s usually used, but the yaml spec does allow arbitrary code execution when parsing a file and relies on the parser to have that feature disabled: https://en.m.wikipedia.org/wiki/YAML#Security
That’s why for python,
yaml.save_load()is a thing. That’s fine for your local config files and may even be a feature for you, but it shouldn’t be used to exchange information between services.nit: you mean
yaml.safe_load().