-
-
Notifications
You must be signed in to change notification settings - Fork 585
/
yaml_load.py
74 lines (61 loc) · 2.21 KB
/
yaml_load.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#
# Copyright (c) 2016 Rackspace, Inc.
#
# SPDX-License-Identifier: Apache-2.0
r"""
===============================
B506: Test for use of yaml load
===============================
This plugin test checks for the unsafe usage of the ``yaml.load`` function from
the PyYAML package. The yaml.load function provides the ability to construct
an arbitrary Python object, which may be dangerous if you receive a YAML
document from an untrusted source. The function yaml.safe_load limits this
ability to simple Python objects like integers or lists.
Please see
https://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML for more information
on ``yaml.load`` and yaml.safe_load
:Example:
.. code-block:: none
>> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of
arbitrary objects. Consider yaml.safe_load().
Severity: Medium Confidence: High
CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: examples/yaml_load.py:5
4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
5 y = yaml.load(ystr)
6 yaml.dump(y)
.. seealso::
- https://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML
- https://cwe.mitre.org/data/definitions/20.html
.. versionadded:: 1.0.0
.. versionchanged:: 1.7.3
CWE information added
"""
import bandit
from bandit.core import issue
from bandit.core import test_properties as test
@test.test_id("B506")
@test.checks("Call")
def yaml_load(context):
imported = context.is_module_imported_exact("yaml")
qualname = context.call_function_name_qual
if not imported and isinstance(qualname, str):
return
qualname_list = qualname.split(".")
func = qualname_list[-1]
if all(
[
"yaml" in qualname_list,
func == "load",
not context.check_call_arg_value("Loader", "SafeLoader"),
not context.check_call_arg_value("Loader", "CSafeLoader"),
]
):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
cwe=issue.Cwe.IMPROPER_INPUT_VALIDATION,
text="Use of unsafe yaml load. Allows instantiation of"
" arbitrary objects. Consider yaml.safe_load().",
lineno=context.node.lineno,
)