Deserialization of Untrusted Data in the ruamel.yaml Module

PY525

deserialization_of_untrusted_data

CWE-502

⚠️ Warning

🔒 Professional Plan

---

The Python ruamel.yaml module provides a way to parse and generate YAML data. However, it is important to be aware that malicious YAML strings can be used to attack applications that use the json module. For example, a malicious YAML string could be used to cause the decoder to consume considerable CPU and memory resources, which could lead to a denial-of-service attack.

Example

---

warning

from ruamel.yaml import YAML


yaml = YAML(typ='unsafe')

Remediation

---

fix

To avoid this vulnerability, it is important to only parse YAML data from trusted sources. If you are parsing YAML data from an untrusted source, you should first sanitize the data to remove any potential malicious code. You can also switch to the safe version of YAML as well.

from ruamel.yaml import YAML


yaml = YAML(typ='safe')

False Positives

---

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY525) or rule category name (deserialization_of_untrusted_data).

Using rule ID

fix

from ruamel.yaml import YAML


# suppress: PY525
yaml = YAML(typ='unsafe')

Using category name

fix

from ruamel.yaml import YAML


# suppress: deserialization_of_untrusted_data
yaml = YAML(typ='unsafe')

See also

---

info

• ruamel.yaml Documentation
• CWE-502: Deserialization of Untrusted Data