I'm not sure what you mean by "data models where instantiating a data structure does not mean running arbitrary code". I can't think of a basic data type (a hard thing to define, btw) in Ruby that doesn't have a constructor, but I'm not sure that's what matters. Any attribute assignment in Ruby can be made dangerous if written in a way that wraps dangerous code in a attribute assignment methods.
What I think has gotten Rubyists in trouble is that we forgot YAML really is just serialization. Here's some advice that seems obvious now, but a few weeks ago would have inspired a "wha?" or a "huh?" from a lot of developers.
Don't pass anything to YAML::load that you wouldn't pass to Marshal::load.
Consider for a moment how someone would react to passing anything from HTTP post to Marshal::load. It seems obvious. It is obvious.
YAML is serialization. Whether or not serialization can be made safe is for people much, much smarter than me to figure out.
What I think has gotten Rubyists in trouble is that we forgot YAML really is just serialization. Here's some advice that seems obvious now, but a few weeks ago would have inspired a "wha?" or a "huh?" from a lot of developers.
Don't pass anything to YAML::load that you wouldn't pass to Marshal::load.
Consider for a moment how someone would react to passing anything from HTTP post to Marshal::load. It seems obvious. It is obvious.
YAML is serialization. Whether or not serialization can be made safe is for people much, much smarter than me to figure out.