Swap out yaml.load() for yaml.safe_load() #102
Labels
Comments
|
Thanks for the report, this was actually fixed in an older branch which was left hanging. |
|
Ah, that makes sense-- looking forward to the commits that harden things here. We appreciate your time! |
|
@mikakoi can this be closed? |
|
No, it's not fixed yet. The fix is coming in the easyconfig pull request. |
|
Fixed in 0.4.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In main_controller.py, there's quite a few calls to yaml.load() which if they currently (or in the future) are passed data from outside the application or in other scenarios, such as over the web for various interactions, there's deserialization issues that could lead to arbitrary code execution.
"It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function."
So if you're able to swap those out for yaml.safe_load() or just use JSON instead, that'd mitigate those risks here. We didn't test writing full exploit, but it's easy enough to harden things.
A couple references:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html
https://code.tutsplus.com/tutorials/serialization-and-deserialization-of-python-objects-part-2--cms-26184
The text was updated successfully, but these errors were encountered: