Home Explore Help
Sign In
sintez
/
py_task
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 609422c2ac
Branches Tags
py_task
/
venv
/
lib
/
python3.9
/
site-packages
/
bandit
/
plugins
/
yaml_load.py

yaml_load.py 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. #
    2. 

  2. # Copyright (c) 2016 Rackspace, Inc.
    3. 

  3. #
    4. 

  4. # SPDX-License-Identifier: Apache-2.0
    5. 

  5. r"""
    6. 

  6. ===============================
    7. 

  7. B506: Test for use of yaml load
    8. 

  8. ===============================
    9. 

  9. 

  10. This plugin test checks for the unsafe usage of the ``yaml.load`` function from
    11. 

  11. the PyYAML package. The yaml.load function provides the ability to construct
    12. 

  12. an arbitrary Python object, which may be dangerous if you receive a YAML
    13. 

  13. document from an untrusted source. The function yaml.safe_load limits this
    14. 

  14. ability to simple Python objects like integers or lists.
    15. 

  15. 

  16. Please see
    17. 

  17. https://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML for more information
    18. 

  18. on ``yaml.load`` and yaml.safe_load
    19. 

  19. 

  20. :Example:
    21. 

  21. 

  22. .. code-block:: none
    23. 

  23. 

  24.     >> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of
    25. 

  25.        arbitrary objects. Consider yaml.safe_load().
    26. 

  26.        Severity: Medium   Confidence: High
    27. 

  27.        CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
    28. 

  28.        Location: examples/yaml_load.py:5
    29. 

  29.     4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
    30. 

  30.     5 y = yaml.load(ystr)
    31. 

  31.     6 yaml.dump(y)
    32. 

  32. 

  33. .. seealso::
    34. 

  34. 

  35.  - https://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML
    36. 

  36.  - https://cwe.mitre.org/data/definitions/20.html
    37. 

  37. 

  38. .. versionadded:: 1.0.0
    39. 

  39. 

  40. .. versionchanged:: 1.7.3
    41. 

  41.     CWE information added
    42. 

  42. 

  43. """
    44. 

  44. import bandit
    45. 

  45. from bandit.core import issue
    46. 

  46. from bandit.core import test_properties as test
    47. 

  47. 

  48. 

  49. @test.test_id("B506")
    50. 

  50. @test.checks("Call")
    51. 

  51. def yaml_load(context):
    52. 

  52.     imported = context.is_module_imported_exact("yaml")
    53. 

  53.     qualname = context.call_function_name_qual
    54. 

  54.     if not imported and isinstance(qualname, str):
    55. 

  55.         return
    56. 

  56. 

  57.     qualname_list = qualname.split(".")
    58. 

  58.     func = qualname_list[-1]
    59. 

  59.     if all(
    60. 

  60.         [
    61. 

  61.             "yaml" in qualname_list,
    62. 

  62.             func == "load",
    63. 

  63.             not context.check_call_arg_value("Loader", "SafeLoader"),
    64. 

  64.             not context.check_call_arg_value("Loader", "CSafeLoader"),
    65. 

  65.             not context.get_call_arg_at_position(1) == "SafeLoader",
    66. 

  66.             not context.get_call_arg_at_position(1) == "CSafeLoader",
    67. 

  67.         ]
    68. 

  68.     ):
    69. 

  69.         return bandit.Issue(
    70. 

  70.             severity=bandit.MEDIUM,
    71. 

  71.             confidence=bandit.HIGH,
    72. 

  72.             cwe=issue.Cwe.IMPROPER_INPUT_VALIDATION,
    73. 

  73.             text="Use of unsafe yaml load. Allows instantiation of"
    74. 

  74.             " arbitrary objects. Consider yaml.safe_load().",
    75. 

  75.             lineno=context.node.lineno,
    76. 

  76.         )
    77.