Skip to main content

Deserialization of Untrusted Data in the PyYAML Module​

📐 PY522
đŸˇī¸ deserialization_of_untrusted_data
â„šī¸ CWE-502
âš ī¸ Warning
🔒 Professional Plan

The Python PyYAML module provides a way to parse and generate YAML data. However, it is important to be aware that malicious YAML strings can be used to attack applications that use the json module. For example, a malicious YAML string could be used to cause the decoder to consume considerable CPU and memory resources, which could lead to a denial-of-service attack.

Example​

import yaml


yaml.load("{}")

Remediation​

To avoid this vulnerability, it is important to only parse YAML data from trusted sources. If you are parsing YAML data from an untrusted source, you should first sanitize the data to remove any potential malicious code. You can also switch to the safe_load function or use the SafeLoader value to the Loader argument.

import yaml


yaml.safe_load("{}")

False Positives​

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY522) or rule category name (deserialization_of_untrusted_data).

Fix Iconfix
import yaml


# suppress: PY522
yaml.load("{}")

See also​