Pattern: Use of possibly insecure yaml.load()
Issue: -
This rule checks for the unsafe usage of the yaml.load() function from
the PyYAML package. This function provides the ability to construct
an arbitrary Python object, which may be dangerous if you receive a YAML
document from an untrusted source. The function yaml.safe_load() limits this
ability to simple Python objects like integers or lists.
Example of insecure code:
import json
import yaml
def test_yaml_load():
ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
y = yaml.load(ystr)Example of secure code:
import json
import yaml
def test_yaml_load():
y = yaml.load(ystr, Loader=yaml.SafeLoader)