Stowage/pyyaml
2
0
Fork 0
mirror of https://github.com/yaml/pyyaml.git synced 2025-11-09 13:11:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

Deprecate/warn usage of yaml.load(input)

Browse source 
The `load` and `load_all` methods will issue a warning when they are
called without the 'Loader=' parameter. The warning will point to a URL
that is always up to date with the latest information on the usage of
`load`.

There are several ways to stop the warning:

* Use `full_load(input)` - sugar for `yaml.load(input, FullLoader)`
  * FullLoader is the new safe but complete loader class
* Use `safe_load(input)` - sugar for `yaml.load(input, SafeLoader)`
  * Make sure your input YAML consists of the 'safe' subset
* Use `unsafe_load(input)` - sugar for `yaml.load(input, UnsafeLoader)`
  * Make sure your input YAML consists of the 'safe' subset
* Use `yaml.load(input, Loader=yaml.<loader>)`
  * Or shorter `yaml.load(input, yaml.<loader>)`
  * Where '<loader>' can be:
    * FullLoader - safe, complete Python YAML loading
    * SafeLoader - safe, partial Python YAML loading
    * UnsafeLoader - more explicit name for the old, unsafe 'Loader' class
* yaml.warnings({'YAMLLoadWarning': False})
  * Use this when you use third party modules that use `yaml.load(input)`
  * Only do this if input is trusted

The above `load()` expressions all have `load_all()` counterparts.

You can get the original unsafe behavior with:
* `yaml.unsafe_load(input)`
* `yaml.load(input, Loader=yaml.UnsafeLoader)`

In a future release, `yaml.load(input)` will raise an exception.

The new loader called FullLoader is almost entirely complete as
Loader/UnsafeLoader but it does it avoids all known code execution
paths. It is the preferred YAML loader, and the current default for
`yaml.load(input)` when you get the warning.

Here are some of the exploits that can be triggered with UnsafeLoader
but not with FullLoader:
```
python -c 'import os, yaml; yaml.full_load("!!python/object/new:os.system [echo EXPLOIT!]")'`
python -c 'import yaml; print yaml.full_load("!!python/object/new:abs [-5]")'
python -c 'import yaml; yaml.full_load("!!python/object/new:eval [exit(5)]")' ; echo $?
python -c 'import yaml; yaml.full_load("!!python/object/new:exit [5]")' ; echo $?
This commit is contained in:
Ingy döt Net 2019-02-17 19:22:58 -08:00
parent d13a3d0f96
commit 0cedb2a069
8 changed files with 228 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tests/lib/test_errors.py
View file

@ -3,7 +3,7 @@ import yaml, test_emitter
def test_loader_error(error_filename, verbose=False):
try:
list(yaml.load_all(open(error_filename, 'rb')))
list(yaml.load_all(open(error_filename, 'rb'), yaml.FullLoader))
except yaml.YAMLError, exc:
if verbose:
print "%s:" % exc.__class__.__name__, exc
@ -14,7 +14,7 @@ test_loader_error.unittest = ['.loader-error']
def test_loader_error_string(error_filename, verbose=False):
try:
list(yaml.load_all(open(error_filename, 'rb').read()))
list(yaml.load_all(open(error_filename, 'rb').read(), yaml.FullLoader))
except yaml.YAMLError, exc:
if verbose:
print "%s:" % exc.__class__.__name__, exc
@ -25,7 +25,7 @@ test_loader_error_string.unittest = ['.loader-error']
def test_loader_error_single(error_filename, verbose=False):
try:
yaml.load(open(error_filename, 'rb').read())
yaml.load(open(error_filename, 'rb').read(), yaml.FullLoader)
except yaml.YAMLError, exc:
if verbose:
print "%s:" % exc.__class__.__name__, exc