A rather high-profile security vulnerability in Rails recently illuminated the potential dangers of parsing user-supplied YAML in a Ruby application.
A quick Google search reveals that Python's YAML library includes a safe_load method which will only deserialize "simple Python objects like integers or lists" and not objects of any arbitrary type.
Does Ruby have an equivalent? Is there any way to safely accept YAML input in a Ruby application without hand-writing a custom parser?
Using the lower level interfaces to Psych (the actual parser engine), it is possible to gain access to the lower level structures without serializing them back to Ruby objects (see http://rubydoc.info/stdlib/psych/Psych/Parser). This isn't as easy as safe_load, but it does provide a route to do it.
There may be other options that work in Syck and Psych, and that are more direct such as safe_load.