[flake8-bandit/S506] Dont report violation when using BaseLoader

[mcmitch]

From https://pyyaml.org/wiki/PyYAMLDocumentation

• Loader supports all predefined tags and may construct an arbitrary Python object. Therefore it is not safe to use Loader to load a document received from an untrusted source. By default, the functions scan, parse, compose, construct, and others use Loader.
• SafeLoader(stream) supports only standard YAML tags and thus it does not construct class instances and probably safe to use with documents received from an untrusted source. The functions safe_load and safe_load_all use SafeLoader to parse a stream.
• BaseLoader(stream) does not resolve or support any tags and construct only basic Python objects: lists, dictionaries and Unicode strings.

For our project we are using the Baseloader, and do not want to use safeLoader, as this would not leave integer values as strings. The baseloader is not the unsafe FullLoader, and should not be flagged as an exception to S506.

Code to reproduce:

with open('testfile.yaml') as fhandle:
  loader_yaml = yaml.load(fhandle, Loader=yaml.Baseloader)

Ruff setting: [select = "S506"] Ruff version: 0.6.8

[AlexWaygood]

From my reading of the pyyaml docs, your rationale makes sense to me. I'm not a security expert, however, and it looks like we match bandit's original behaviour here (and it looks like they've had this behaviour for a long time).

Digging into the source code for pyyaml a bit:

• BaseLoader is defined here, and SafeLoader here. They're the same, except that BaseLoader has BaseConstructor and BaseResolver in its bases list, whereas SafeLoader has SafeConstructor and Resolver in its bases list.
• BaseConstructor is here, BaseResolver is here, SafeConstructor is here, Resolver is here. SafeConstructor is a subclass of BaseConstructor; Resolver is a subclass of BaseResolver. SafeConstructor overrides many methods from BaseConstructor, but Resolver seems to be something of a pointless subclass that doesn't override anything from BaseResolver.
• From what I can tell, the methods overridden in SafeConstructor seem mainly to extend the capabilities provided in the BaseConstructor superclass, rather than overriding anything to make it safer -- i.e., exactly as you and the pyyaml docs state.

@ericwb, sorry for the ping -- I don't suppose you'd be able to shed light on this behaviour from bandit, would you? Is there a reason why SafeLoader would be safer than BaseLoader?

[asears]

There's a SO post here with some useful info, though not much clarity in Bandit repo issues on the topic.

https://stackoverflow.com/questions/73958193/are-there-any-cases-to-use-pyyaml-fullloader-or-baseloader-instead-of-safeloader