Closed b1nslashsh closed 2 years ago
@glato what's your thoughts
Thanks
@b1nslashsh Thanks for the PR, I'll check this and try to give you feedback until tomorrow.
@b1nslashsh Sorry for the delay, I now had the time to check/review your PR. As far as I understand the security issue here (taken from https://www.cvedetails.com/cve/CVE-2020-14343) is relevant for PyYAML versions < 5.4. This project is using PyYAML == 5.4 in both development and master branch (see requirements.txt for all dependencies and versions). Do you have any reference/source/link that identifies this kind of security issue also for the current PyYAML version 5.4? If so, I'd be happy to review and add your contribution. Waiting for your feedback.
@b1nslashsh I assume this is no longer relevant, thus I would be closing this PR in a couple of days.
using SafeLoader instead of FullLoader to avoid security risks while loading yaml files
here is a example exploit (poc) :
\
hacktoberfest