gitlab.bandit.B506

385

Download Count*

License

Avoid using load(). PyYAML.load can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use safe_load() instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B506
    patterns:
      - pattern-inside: |
          import yaml
          ...
          yaml.load($FOO)
      - pattern: yaml.load($FOO)
    message: |
      Avoid using `load()`. `PyYAML.load` can create arbitrary Python
      objects. A malicious actor could exploit this to run arbitrary
      code. Use `safe_load()` instead.
    metadata:
      cwe: "CWE-502: Deserialization of Untrusted Data"
      owasp: "A8: Insecure Deserialization"
      primary_identifier: bandit.B506
      secondary_identifiers:
        - name: Bandit Test ID B506
          type: bandit_test_id
          value: B506
      license: MIT
    severity: ERROR
    languages:
      - python

Short Link: https://sg.run/1nb1