Skip to main content

Use `typ='safe'` in ruamel.yaml() Calls

pixee:python/harden-ruamel

ImportanceReview GuidanceRequires Scanning Tool
MediumMerge Without ReviewNo

This codemod hardens any unsafe ruamel.yaml.YAML() calls against attacks that could result from deserializing untrusted data.

The fix uses a safety check that already exists in the ruamel module, replacing an unsafe typ argument with typ="safe". The changes from this codemod look like this:

  from ruamel.yaml import YAML
- serializer = YAML(typ="unsafe")
- serializer = YAML(typ="base")
+ serializer = YAML(typ="safe")
+ serializer = YAML(typ="safe")

If you have feedback on this codemod, please let us know!

F.A.Q.

Why is this codemod marked as Merge Without Review?

This codemod replaces any unsafe typ argument with typ='safe', which makes safety explicit and is one of the recommended uses suggested in ruamel documentation. We believe this replacement is safe and should not result in any issues.

Codemod Settings

N/A

References