New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential vulnerability with yaml.loader #580
Comments
Funnily enough I was looking into this yesterday! The recent PRs have been failed due to there being an open CVE for They are planning on releasing a new version of I totally agree that we should explore |
Yeah, I was a bit confused due to that PR that said it implements |
Getting #574 merged is the priority at the moment. If you could look into it that would be great. |
Closed as it got solved in 803 |
Description
I was listening to Talk Python to Me podcast - the one where they talk about Python vulnerabilities and things that we shouldn't be doing in Python. One of the things that they mention was using
yaml.load
instead ofyaml.safe_load
.I know that when I wrote the bit of code so we can use
!include
I use yaml.loader so perhaps this should be changed toyaml.safe_load
. One thing I didn't understand was if theyaml.loader
is now set as the default safe_load or not. (Mostly due to this issue).I tried to swap
yaml.load
foryaml.safe_load
but tox complained and both the environmental variables and the!include
tests are failing.Should I dig deeper and try to make the safe_load work?
Also, this article in hackernoon might be interesting for reference about this issue - 10 common security gotchas in Python and how to avoid them
The text was updated successfully, but these errors were encountered: