Allow configuration of "permitted classes"

[hvanderlinde]

When dealing with more complex OpenAPI specifications, that make use of other data types than the standard types allowed by YAML (aka Psych), it is inevitable that you need to set the extra permitted classes using the permitted_classes argument.

An example of a class that you may want to permit is the Date class.

This PR provides a basic implementation of using a env variable to specify permitted classes.

[Manfred]

Howdy, thanks for opening a pull request.

Generally I don't accept any code to the repository that I did not write as explained in the contributing guidelines. Please take the time to read it.

I don't think I can make the changes you suggest for a number of reasons:

It's not clear what other data types means without a concrete clear example, preferably something that could be dropped into the test suite without change.

I suspect that the changes you are suggesting means you have an invalid OpenAPI specification; the YAML should preserve the ability to round-trip between YAML and JSON formats and this is not the case when using extended YAML features for instantiating objects.

The reason we're using safe_load is to prevent the code from instantiating random objects. The resulting Ruby object is expected to consist of Ruby base classes so we can safely call methods like dig on them. Changing this would open up an attack vector for arbitrary code execution.

The only change I have considered at some point is to supply an additional initializer for Reynard objects and allow direct injection of a specification as a Ruby Hash.

Reynard.instantiate(specification: {"openapi": "3.1.1"})

But this would mostly be for situations where the OpenAPI spec cannot live on disk, for example in diskless deployments where the specification lives in a database or in memory.

In short, please supply an example because I may have misunderstood the issue.