Security Fix for Arbitrary Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/users/B3EF has fixed the Arbitrary Code Execution vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/caliban/1/README.md

User Comments:

📊 Metadata *

Arbitrary code execution fix

Bounty URL:https://www.huntr.dev/bounties/1-pip-caliban

⚙️ Description *

Caliban is a tool that helps researchers launch and tracks their numerical experiments in an isolated, reproducible computing environment. It was developed by machine learning researchers and engineers and makes it easy to go from a simple prototype running on a workstation to thousands of experimental jobs running on the Cloud.

💻 Technical Description *

This package was vulnerable to Arbitrary code execution due to the use of a known vulnerable load() with a vulnerable loader function in YAML. Changing that to SafeLoader will fix the issue.

🐛 Proof of Concept (PoC) *

🔥 Proof of Fix (PoF) *

👍 User Acceptance Testing (UAT)

I have just changed the load function to safe_load it ain't going to break anything.

[google-cla]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[codecov]

Codecov Report

Merging #98 (7828a49) into master (56f96e7) will decrease coverage by 0.06%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master      #98      +/-   ##
==========================================
- Coverage   55.72%   55.66%   -0.07%     
==========================================
  Files          31       31              
  Lines        3180     3180              
==========================================
- Hits         1772     1770       -2     
- Misses       1408     1410       +2     

Impacted Files	Coverage Δ
caliban/platform/gke/util.py	99.25% <100.00%> (-0.75%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 56f96e7...7828a49. Read the comment docs.