From 15a3069b3a04df88e997e076d3b72020e8ee6a1a Mon Sep 17 00:00:00 2001
From: Eric Brown <eric_wade_brown@yahoo.com>
Date: Tue, 24 May 2022 13:26:32 -0700
Subject: [PATCH] Add another bad example of yaml load

The yaml module supports passing the Loader of choice.
Passing yaml.Loader is considered unsafe. This commit
adds that example and ensures Bandit detects it.

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
---
 examples/yaml_load.py               | 2 ++
 tests/functional/test_functional.py | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/examples/yaml_load.py b/examples/yaml_load.py
index 346818d2d..21d8797fc 100644
--- a/examples/yaml_load.py
+++ b/examples/yaml_load.py
@@ -16,3 +16,5 @@ def test_yaml_load():
 def test_json_load():
     # no issue should be found
     j = json.load("{}")
+
+yaml.load("{}", Loader=yaml.Loader)
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
index adad9f562..d39ee799c 100644
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@@ -492,8 +492,8 @@ def test_django_sql_injection_raw(self):
     def test_yaml(self):
         """Test for `yaml.load`."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 1},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 2, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2},
         }
         self.check_example("yaml_load.py", expect)