The dynparam script processes unsanitized parameter input using a known unsafe function of the PyYaml library, yaml.load.
As explained in the library's documentation: "It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function." This category of issue is also recognized as CWE-502: Deserialization of Untrusted Data.
This PR switches to using the yaml.safe_load alternative in the do_set() and do_load() functions. It includes a new test for the dynparam script, which also serves as a proof-of-concept for the issue.
The test in test/test_dynparam.py attempts to load a .yaml file with an insecure input that calls the os.system module. You can verify that the same input will be executed successfully with the current code, in this case returning the contents of the local /etc/passwd file. The yaml.safe_load function correctly blocks the insecure input.
Signed-off by Florencia Cabral florencia.cabralberenfus@canonical.com
The
dynparamscript processes unsanitized parameter input using a known unsafe function of the PyYaml library,yaml.load. As explained in the library's documentation: "It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function." This category of issue is also recognized as CWE-502: Deserialization of Untrusted Data.This PR switches to using the
yaml.safe_loadalternative in thedo_set()anddo_load()functions. It includes a new test for thedynparamscript, which also serves as a proof-of-concept for the issue.The test in
test/test_dynparam.pyattempts to load a .yaml file with an insecure input that calls theos.systemmodule. You can verify that the same input will be executed successfully with the current code, in this case returning the contents of the local/etc/passwdfile. Theyaml.safe_loadfunction correctly blocks the insecure input.Signed-off by Florencia Cabral florencia.cabralberenfus@canonical.com