I'm currently evaluating this library from a security perspective. Since YAML can be used to serialize objects, I was wondering if the defaults provided by the parser are set such that deserialization of arbitrary objects is prevented. Putting it differently:
What are the steps needed to allow for the creation of any type of object give a YAML string containing the definition of a specific type? From what I could tell going through the documentation, this behaviour is not easily reproducible, since the deserializer expects a type of an object to populate with the given data.
As a second, related question: Are validation checks that are present during the creation of objects (e.g. "Age" property can not be larger than 130 and smaller than 0) or when using a getter/setter pattern being used when creating the object, or is it possible to create objects that have unexpected data inside them that way?
