search

glato / emerge

Emerge is a browser-based interactive codebase and dependency visualization tool for many different programming languages. It supports some basic code quality and graph metrics and provides a simple and intuitive way to explore and analyze a codebase by using graph structures.
MIT License
818 stars 49 forks source link

[FIX] Security - useing Safeloader #9

Closed b1nslashsh closed 2 years ago

b1nslashsh commented 3 years ago

using SafeLoader instead of FullLoader to avoid security risks while loading yaml files

here is a example exploit (poc) :

poc

\

hacktoberfest

b1nslashsh commented 2 years ago

@glato what's your thoughts

Thanks

glato commented 2 years ago

@b1nslashsh Thanks for the PR, I'll check this and try to give you feedback until tomorrow.

glato commented 2 years ago

@b1nslashsh Sorry for the delay, I now had the time to check/review your PR. As far as I understand the security issue here (taken from https://www.cvedetails.com/cve/CVE-2020-14343) is relevant for PyYAML versions < 5.4. This project is using PyYAML == 5.4 in both development and master branch (see requirements.txt for all dependencies and versions). Do you have any reference/source/link that identifies this kind of security issue also for the current PyYAML version 5.4? If so, I'd be happy to review and add your contribution. Waiting for your feedback.

glato commented 2 years ago

@b1nslashsh I assume this is no longer relevant, thus I would be closing this PR in a couple of days.