python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel
semgrep
Author
8,261
Download Count*
License
Avoid using unsafe ruamel.yaml.YAML()
. ruamel.yaml.YAML
can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use YAML(typ='rt')
or YAML(typ='safe')
instead.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-unsafe-ruamel
metadata:
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-502: Deserialization of Untrusted Data"
references:
- https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ
category: security
technology:
- ruamel.yaml
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
languages:
- python
message: Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create
arbitrary Python objects. A malicious actor could exploit this to run
arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.
severity: ERROR
pattern-either:
- pattern: ruamel.yaml.YAML(..., typ='unsafe', ...)
- pattern: ruamel.yaml.YAML(..., typ='base', ...)
Examples
avoid-unsafe-ruamel.py
from ruamel.yaml import YAML
#ok:avoid-unsafe-ruamel
y1 = YAML() # default is 'rt'
#ok:avoid-unsafe-ruamel
y2 = YAML(typ='rt')
#ok:avoid-unsafe-ruamel
y3 = YAML(typ='safe')
#ruleid:avoid-unsafe-ruamel
y3 = YAML(typ='unsafe')
#ruleid:avoid-unsafe-ruamel
y4 = YAML(typ='base')
Short Link: https://sg.run/x1rz