Security Issue
File: bscode-demo/agentbom/parser.py
Function: parse_agent_manifest
Problem
The function calls yaml.load() without a Loader, which uses the full YAML deserializer and can execute arbitrary Python objects — potential RCE if manifest is attacker-controlled.
Fix
# Before:
data = yaml.load(f)
# After:
data = yaml.safe_load(f)
Impact
- Severity: High — arbitrary Python deserialization -> potential RCE
- CWE: CWE-502 (Deserialization of Untrusted Data)
Filed by patrol_org_coherence
Security Issue
File:
bscode-demo/agentbom/parser.pyFunction:
parse_agent_manifestProblem
The function calls
yaml.load()without a Loader, which uses the full YAML deserializer and can execute arbitrary Python objects — potential RCE if manifest is attacker-controlled.Fix
Impact
Filed by patrol_org_coherence