ajinabraham.njsscan.eval.eval_yaml_deserialize.yaml_deserialize

rules:
  - id: yaml_deserialize
    patterns:
      - pattern-inside: |
          require('js-yaml')
          ...
      - pattern: |
          $X.load(...)
    message: User controlled data in 'yaml.load()' function can result in Remote
      Code Injection.
    languages:
      - javascript
    severity: ERROR
    metadata:
      owasp-web: a8
      cwe: cwe-502
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other