-
Notifications
You must be signed in to change notification settings - Fork 520
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Deprecate/warn usage of yaml.load(input)
The `load` and `load_all` methods will issue a warning when they are called without the 'Loader=' parameter. The warning will point to a URL that is always up to date with the latest information on the usage of `load`. There are several ways to stop the warning: * Use `full_load(input)` - sugar for `yaml.load(input, FullLoader)` * FullLoader is the new safe but complete loader class * Use `safe_load(input)` - sugar for `yaml.load(input, SafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `unsafe_load(input)` - sugar for `yaml.load(input, UnsafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `yaml.load(input, Loader=yaml.<loader>)` * Or shorter `yaml.load(input, yaml.<loader>)` * Where '<loader>' can be: * FullLoader - safe, complete Python YAML loading * SafeLoader - safe, partial Python YAML loading * UnsafeLoader - more explicit name for the old, unsafe 'Loader' class * yaml.warnings({'YAMLLoadWarning': False}) * Use this when you use third party modules that use `yaml.load(input)` * Only do this if input is trusted The above `load()` expressions all have `load_all()` counterparts. You can get the original unsafe behavior with: * `yaml.unsafe_load(input)` * `yaml.load(input, Loader=yaml.UnsafeLoader)` In a future release, `yaml.load(input)` will raise an exception. The new loader called FullLoader is almost entirely complete as Loader/UnsafeLoader but it does it avoids all known code execution paths. It is the preferred YAML loader, and the current default for `yaml.load(input)` when you get the warning. Here are some of the exploits that can be triggered with UnsafeLoader but not with FullLoader: ``` python -c 'import os, yaml; yaml.full_load("!!python/object/new:os.system [echo EXPLOIT!]")'` python -c 'import yaml; print yaml.full_load("!!python/object/new:abs [-5]")' python -c 'import yaml; yaml.full_load("!!python/object/new:eval [exit(5)]")' ; echo $? python -c 'import yaml; yaml.full_load("!!python/object/new:exit [5]")' ; echo $?
- Loading branch information
1 parent
d13a3d0
commit 0cedb2a
Showing
8 changed files
with
228 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.