Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use of yaml.load #1

Closed
trevorgould opened this issue Apr 2, 2019 · 1 comment
Closed

use of yaml.load #1

trevorgould opened this issue Apr 2, 2019 · 1 comment
Labels
invalid This doesn't seem right

Comments

@trevorgould
Copy link

in the generic.py file, the use of yaml.load can be used to arbitrarily execute code, I would recommend switching it to yaml.safe_load. The code in question is as follows.

with open(filename, 'r') as yaml_file:
try:
yaml_content = yaml.load(yaml_file, Loader=yaml.FullLoader)
@marcusbakker
Copy link
Contributor

Hi Trevor,

Thanks for letting us know. I think we already avoid that by specifying the "Loader" with Loader=yaml.FullLoader. Within the documentation on PyYAML the following is stated on that: "Loads the full YAML language. Avoids arbitrary code execution."

Marcus

@rubinatorz rubinatorz added the invalid This doesn't seem right label Apr 8, 2019
rubinatorz pushed a commit that referenced this issue Jan 25, 2024
@b34c0n5
Merge pull request #1 from beac0n5/snyk-upgrade-4a15cf7041e47694e4e83…
ac03d6c 
…23da0ee4abe

[Snyk] Upgrade vue from 2.6.14 to 2.7.16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rubinatorz @trevorgould @marcusbakker