python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel

semgrep

Author

8,261

Download Count*

License

Avoid using unsafe ruamel.yaml.YAML(). ruamel.yaml.YAML can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use YAML(typ='rt') or YAML(typ='safe') instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: avoid-unsafe-ruamel
    metadata:
      owasp:
        - A08:2017 - Insecure Deserialization
        - A08:2021 - Software and Data Integrity Failures
      cwe:
        - "CWE-502: Deserialization of Untrusted Data"
      references:
        - https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ
      category: security
      technology:
        - ruamel.yaml
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - "Insecure Deserialization "
    languages:
      - python
    message: Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create
      arbitrary Python objects. A malicious actor could exploit this to run
      arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.
    severity: ERROR
    pattern-either:
      - pattern: ruamel.yaml.YAML(..., typ='unsafe', ...)
      - pattern: ruamel.yaml.YAML(..., typ='base', ...)

Examples

avoid-unsafe-ruamel.py

from ruamel.yaml import YAML

#ok:avoid-unsafe-ruamel
y1 = YAML()  # default is 'rt'

#ok:avoid-unsafe-ruamel
y2 = YAML(typ='rt')

#ok:avoid-unsafe-ruamel
y3 = YAML(typ='safe')

#ruleid:avoid-unsafe-ruamel
y3 = YAML(typ='unsafe')

#ruleid:avoid-unsafe-ruamel
y4 = YAML(typ='base')

Short Link: https://sg.run/x1rz