[Med] Snyk - Arbitrary Code Execution (due 9/10)

[lbeaufort]

Vulnerable module: PyYAML

Introduced through: project@0.0.0 › bandit@1.4.0 › PyYAML@3.13 Removed
Introduced through: project@0.0.0 › flask-apispec@0.6.0.post0 › apispec@0.19.0 › PyYAML@3.13
Introduced through: project@0.0.0 › apispec@0.19.0 › PyYAML@3.13

No current remediation path. Best choice is to see what we can swap out for other packages or remove.

After discussing with @vrajmohan and putting in an issue to apispec to address the PyYAML vulnerability, our best approach is to:

• Update the dependent packages to the latest versions: Upgrade to latest apispec and flask-apispec versions #3356
• Fork the packages and use yaml.safe_load() and use those forked versions in our project
• Update apispec to the latest version if they make the change

[vrajmohan]

There appears to be no release of PyYAML _on PyPI _ beyond 3.13 at this time - https://pypi.org/project/PyYAML/#history. There is a 4.1 release on GitHub but the fixes in it appear to be reversed in the 4.2 tree.

Also, note that there is only a single dependency on PyYAML that remains - from apispec.

The dependency from bandit has been eliminated and the dependency from flask_apispec is indirect, through apispec.

[vrajmohan]

Given that the next PyYAML release is not out yet but is due soon (there are some beta releases), my recommendation is to wait on this for another sprint. Tagging @lbeaufort and @patphongs to inform Jay?

[vrajmohan]

Detailed discussion around the PyYAML release fiasco: yaml/pyyaml#193

[lbeaufort]

Per Jay, risk assessment is moderate and we can follow-up in 6.5

[pkfec]

changing the severity to HIGH as reported in snyk:
https://snyk.io/org/fecgov/project/a95ea997-b012-4b3b-a026-2fdbe6ac0398

[PaulClark2]

@pkfec has Jay’s assessment of this issue changed? It looks like this is slated to be worked on this sprint, correct?

[lbeaufort]

@PaulClark2 per Jay, this issue is moderate.

[lbeaufort]

We should try ‘safe_load’: Screenly/Anthias#878 (comment)

[lbeaufort]

After discussing with @vrajmohan and putting in an issue to apispec to address the PyYAML vulnerability, our best approach is to:

• Update the dependent packages to the latest versions: Upgrade to latest apispec and flask-apispec versions #3356
• Fork the packages and use yaml.safe_load() and use those forked versions in our project
• Update apispec to the latest version if they make the change

[lbeaufort]

Update:

I put in a PR that was merged to the apispec library to use yaml.safe_load(), but we still need to:

• address a couple issues with updating to the latest version (see https://github.com/fecgov/apispec/pull/1) - might need to put in another issue
• wait until a new version of apispec is released
• upgrade to that version

[lbeaufort]

Addressed by marshmallow-code/apispec#278 and #3362

[lbeaufort]

Note - snyk is still flagging prance and apispec for using PyYAML but I confirmed that both packages use yaml.safe_load() and not yaml.load() so I silenced the warning in snyk.

[lbeaufort]

@justin5p here's a summary of this issue:

The package that we use (apispec) was using PyYaml's yaml.load() function, which was flagged as a security vulnerability. I put in a change to apispec to use yaml.safe_load() which is the safe version of the load() function. Then, when upgrading to the latest version, we ran into a code problem that was preventing us from using the latest version of apispec. We put in an issue to their repo but haven't heard back, so we forked the latest version and made the code change on our end, then switched to using our forked copy.

At this time, both flagged packages (prance and apispec) use yaml.safe_load() and no longer present a security vulnerability.

Going forward, it would be best to keep an eye on the latest PyYaml release to see if they fix the load issue, and apispec to see if they fix the issue that caused us to need to fork their repo.

Please let me know if you have questions, thanks!