New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of yaml.load instead of yaml.safe_load #1529
Comments
Your reference states:
I have to disagree with that blanket statement. Yes, many (most?) times that is true, But sometimes you might actually want/need the so-called "unsafe" option (otherwise, why would the library offer it). In any event, there are at least two questions we need to answer:
|
ok, I thought it worth raising the issue. I see your point with the plugins I was thinking along the lines of shell access being gained through the configuration file, but as you state you need shell access anyway to compile it. I was thinking of a scenario like this:
!!python/object/apply:os.system\nargs: ['useradd bad_user ...'] That scenario is completely the fault of the administrator for doing this and for the dev for having bad creds, but they might not be aware what harm can be done simply by deserialising a yaml file. I'll close the issue anyway. |
With the upcoming release of PyYAML 5.1, we should update to no longer call the soon-to-be deprecated |
I have reviewed the changes to PyYAML and MkDocs use of the library and there are not any changes that we need to make. PyYAML 5.1 raises a deprecation warning only when a loader isn't explicitly selected. However, we use our own custom loader so we always explicitly select a loader. The The only possible change to the code we could make is to have our custom loader subclass For the reasons stated in an earlier comment, the benefits of not calling the so-called "safe" version of PyYAML outweigh the risks for MkDocs. Therefore, there is no need or benefit to requiring version 5.1 at this time. |
Hi,
I noticed that the yaml module is using load instead of safe_load. It's generally recommended to use safe_load as otherwise, attackers can run arbitrary code through configuration files.
See this OpenStack file
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html
Happy to raise a PR and swap those with
yaml.safe_load
inmkdocs/mkdocs/utils/__init__.py
Line 78 in 34ef3ca
The text was updated successfully, but these errors were encountered: