Skip to content

security: replace yaml.load with yaml.safe_load in parse_agent_manifest #4

Description

@telleroutlook

Security Issue

File: bscode-demo/agentbom/parser.py
Function: parse_agent_manifest

Problem

The function calls yaml.load() without a Loader, which uses the full YAML deserializer and can execute arbitrary Python objects — potential RCE if manifest is attacker-controlled.

Fix

# Before:
data = yaml.load(f)
# After:
data = yaml.safe_load(f)

Impact

  • Severity: High — arbitrary Python deserialization -> potential RCE
  • CWE: CWE-502 (Deserialization of Untrusted Data)

Filed by patrol_org_coherence

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecurity

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions