The default loaders in PyYAML are not safe to use with untrusted data. They potentially make your application vulnerable to arbitrary code execution attacks. If you open a YAML file from an untrusted source, and the file is loaded with the default loader, an attacker could execute arbitrary code on your machine.
This codemod hardens all yaml.load() calls against such attacks by replacing the default loader with yaml.SafeLoader. This is the recommended loader for loading untrusted data. For most use cases it functions as a drop-in replacement for the default loader.
Calling yaml.load() without an explicit loader argument is equivalent to calling it with Loader=yaml.Loader, which is unsafe. This usage has been deprecated since PyYAML 5.1. This codemod will add an explicit SafeLoader argument to all yaml.load() calls that don't use an explicit loader.
The changes from this codemod look like the following:
[X] data/catalogs/predefined_catalogs.yml has not been modified.
[X] None of the old data_catalog.yml files have been chagned
[X] data/chagnelog.rst has been updated - NA
[X] new file uses LF line endings (done automatically if you used update_versions.py)
[X] New file has been tested locally
[X] Tests have been added using the new file in the test suite - NA
Additional Notes (optional)
This change was autogenerated from a GitHub app - called Pixeebot. Feel free to check it our for more details for how you can install it onto your project's repo for continued code hardening and code security recommendations. 👍
Explanation
The default loaders in PyYAML are not safe to use with untrusted data. They potentially make your application vulnerable to arbitrary code execution attacks. If you open a YAML file from an untrusted source, and the file is loaded with the default loader, an attacker could execute arbitrary code on your machine.
This codemod hardens all
yaml.load()calls against such attacks by replacing the default loader withyaml.SafeLoader. This is the recommended loader for loading untrusted data. For most use cases it functions as a drop-in replacement for the default loader.Calling
yaml.load()without an explicit loader argument is equivalent to calling it withLoader=yaml.Loader, which is unsafe. This usage has been deprecated since PyYAML 5.1. This codemod will add an explicitSafeLoaderargument to allyaml.load()calls that don't use an explicit loader.The changes from this codemod look like the following:
More reading
* [https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data) * [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)🧚🤖 Powered by Pixeebot
Feedback | Community | Docs | Codemod ID: pixee:python/harden-pyyaml
General Checklist
mainData/Catalog checklist
data/catalogs/predefined_catalogs.ymlhas not been modified.data_catalog.ymlfiles have been chagneddata/chagnelog.rsthas been updated - NALFline endings (done automatically if you usedupdate_versions.py)Additional Notes (optional)
This change was autogenerated from a GitHub app - called Pixeebot. Feel free to check it our for more details for how you can install it onto your project's repo for continued code hardening and code security recommendations. 👍