Deserialization of Untrusted Data in the ruamel.yaml Module
The Python ruamel.yaml module provides a way to parse and generate YAML data.
However, it is important to be aware that malicious YAML strings can be used
to attack applications that use the json module. For example, a malicious YAML
string could be used to cause the decoder to consume considerable CPU and
memory resources, which could lead to a denial-of-service attack.
Example
from ruamel.yaml import YAML
yaml = YAML(typ='unsafe')
:::
Remediation
To avoid this vulnerability, it is important to only parse YAML data from
trusted sources. If you are parsing YAML data from an untrusted source, you
should first sanitize the data to remove any potential malicious code. You
can also switch to the safe version of YAML as well.
from ruamel.yaml import YAML
yaml = YAML(typ='safe')
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY525) or
rule category name (deserialization_of_untrusted_data).
- Using rule ID
- Using category name
from ruamel.yaml import YAML
# suppress: PY525
yaml = YAML(typ='unsafe')
from ruamel.yaml import YAML
# suppress: deserialization_of_untrusted_data
yaml = YAML(typ='unsafe')