Unsafe usage of
yaml.load function detected BAN-B506Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
62
63 def parse_subs_config(self, config) -> list:
64 try:
65 clash_cfg = yaml.load(config, Loader=yaml.FullLoader)66 except Exception:
67 logger.exception("Not Clash config.")
68 return []Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
72 def parse_gui_config(self, filename: str) -> list:
73 with open(filename, "r+", encoding="utf-8") as f:
74 try:
75 clash_cfg = yaml.load(f, Loader=yaml.FullLoader)76 except Exception:
77 logger.exception("Not Clash config.")
78 return []Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
75 def parse_gui_config(self, filename: str) -> list:
76 with open(filename, "r+", encoding="utf-8") as f:
77 try:
78 clash_cfg = yaml.load(f, Loader=yaml.FullLoader)79 except Exception:
80 logger.exception("Not Clash config.")
81 return []Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
63
64 def parse_subs_config(self, config) -> list:
65 try:
66 clash_cfg = yaml.load(config, Loader=yaml.FullLoader)67 except Exception:
68 logger.exception("Not Clash Subscription.")
69 return []Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
215 return _config
216
217 def parse_config(self, clash_cfg):
218 clash_cfg = yaml.load(clash_cfg, Loader=yaml.FullLoader)219 for cfg in clash_cfg["proxies"]:
220 _type = cfg.get("type", "N/A").lower()
221 if _type in "ss":
Description
It is not safe to call yaml.load with any data received from an untrusted source.
The yaml.load function provides the ability to construct an arbitrary Python object, which may be dangerous if you receive a YAML document from an untrusted source.
Deserialization of untrusted data exposes application to:
- Parameter tampering attacks: Manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
- Remote code execution attacks: Structure of unserialized data is changed to modify the behavior of object being unserialized.
It is recommended to use yaml.safe_load. The function yaml.safe_load limits this ability to simple Python objects like integers or lists.
Bad practice
from flask import request
import yaml
@app.route('/yaml')
def load():
data = request.GET.get("data")
conf = yaml.load(data) # Insecure. Avoid using yaml.load
Recommended
from flask import request
import yaml
@app.route('/yaml')
def load():
data = request.GET.get("data")
conf = yaml.safe_load(data) # Secure
References:
- pyyaml
- Web parameter tampering
- Code injection
- OWASP Top 10 2021 Category A08 - Software and Data Integrity Failures
- SAN Top 25
- CWE 502 - Deserialization of untrusted data