Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Switch from yaml.load to yaml.safe_load for security #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 1, 2015
Merged

Switch from yaml.load to yaml.safe_load for security #22

merged 4 commits into from
Oct 1, 2015

Conversation

kevinlondon
Copy link
Contributor

yaml.load is unfortunately the dangerous version. yaml.safe_load has better protections. I had originally opened a Pull Request with Sentry that does the same swap. I included a few additional links on that ticket that may be of interest.

Thanks!

@kevinlondon kevinlondon mentioned this pull request Sep 21, 2015
Closed
@elsigh
Merge pull request ua-parser#24 from mattrobenolt/patch-1
9078a89 
Make sure file handlers get closed
@elsigh
Copy link
Contributor

elsigh commented Sep 21, 2015

Looks like there are conflicts. Can you rebase? Also can you describe what the danger is here for the record?

@elsigh elsigh closed this Sep 21, 2015
@elsigh elsigh reopened this Sep 21, 2015
@elsigh
Copy link
Contributor

elsigh commented Sep 21, 2015

Sorry accidental close.

@kevinlondon
Copy link
Contributor Author

No problems about the accidental close! I've made the changes to resolve the merge conflict - not actually sure how that came about. Maybe something was merged recently that changed the syntax. All good now though!

Re: why it's dangerous. I'm working through some popular open source Python projects and looking for potential security vulnerabilities with Bandit. Here's the partial output from when I checked this project:

Test results:

>> Issue: Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   Location: ./setup.py:23
22      json_dest = yaml_dest.replace('.yaml', '.json')
23      regexes = yaml.load(open(yaml_dest))
24      with open(json_dest, "w") as f:

>> Issue: Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   Location: ./ua_parser/user_agent_parser.py:446
445     yamlFile = open(UA_PARSER_YAML)
446     regexes = yaml.load(yamlFile)
447     yamlFile.close()

>> Issue: Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   Location: ./ua_parser/user_agent_parser.py:461
460         with open(yamlPath) as fp:
461             regexes = yaml.load(fp)
462

As the warning mentions, yaml.load() is unfortunately the unsafe version. I did a blog post on the security risks for yaml's load function, as did Ned Batchelder and others.

elsigh added a commit that referenced this pull request Oct 1, 2015
@elsigh
Merge pull request #22 from kevinlondon/master
33c2bdf 
Switch from yaml.load to yaml.safe_load for security
@elsigh elsigh merged commit 33c2bdf into ua-parser:master Oct 1, 2015
@elsigh
Copy link
Contributor

elsigh commented Oct 1, 2015

Cool, thanks for the explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kevinlondon @elsigh