Skip to main content

Replace unsafe `pyyaml` loader with `SafeLoader`

pixee:python/harden-pyyaml

ImportanceReview GuidanceRequires Scanning Tool
MediumMerge Without ReviewNo

This codemod hardens all yaml.load() calls against attacks that could result from deserializing untrusted data.

The fix uses a safety check that already exists in the yaml module, replacing unsafe loader class with SafeLoader. The changes from this codemod look like this:

  import yaml
data = b'!!python/object/apply:subprocess.Popen \\n- ls'
- deserialized_data = yaml.load(data, yaml.Loader)
+ deserialized_data = yaml.load(data, Loader=yaml.SafeLoader)

The codemod will also catch if you pass in the loader argument as a kwarg and if you use any loader other than SafeLoader, including FullLoader and UnsafeLoader.

If you have feedback on this codemod, please let us know!

F.A.Q.

Why is this codemod marked as Merge Without Review?

This codemod replaces any unsafe loaders with the SafeLoader, which is already the recommended replacement suggested in yaml documentation. We believe this replacement is safe and should not result in any issues.

Codemod Settings

N/A

References