Use Yaml SafeConstructor to prevent serialization issues

[kinow]

Description

@mr-c I've successfully reproduced an issue with serialization. From the same page with the exploit, looks like passing the SafeConstructor fixes it (it's a class provided by SnakeYaml that prevents certain things from being accessed when constructing objects.)

Motivation and Context

Prevent serialization issues as reported in #241 (comment)

How Has This Been Tested?

Locally.

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

Not sure how this could be tested 👍 static analyzers will spot the issue again (assuming the static analyzers are able to comprehend that SafeConstructor fixes the issue)

[lgtm-com]

This pull request fixes 1 alert when merging 71aeade into 7b8eb67 - view on LGTM.com

fixed alerts:

• 1 for Deserialization of user-controlled data

[lgtm-com]

This pull request fixes 1 alert when merging 3e7b69f into 7b8eb67 - view on LGTM.com

fixed alerts:

• 1 for Deserialization of user-controlled data