Use SafeLoader in `yaml.load()` Calls

[pixeebot[bot]]

This codemod hardens all yaml.load() calls against attacks that could result from deserializing untrusted data.

The fix uses a safety check that already exists in the yaml module, replacing unsafe loader class with SafeLoader. The changes from this codemod look like this:

  import yaml
  data = b'!!python/object/apply:subprocess.Popen \\n- ls'
- deserialized_data = yaml.load(data, yaml.Loader)
+ deserialized_data = yaml.load(data, Loader=yaml.SafeLoader)

The codemod will also catch if you pass in the loader argument as a kwarg and if you use any loader other than SafeLoader, including FullLoader and UnsafeLoader.

More reading

* [https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data)

Powered by: pixeebot (codemod ID: pixee:python/harden-pyyaml)

[pixeebot[bot]]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot[bot]]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.