Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix parsing yaml spec files containing + as value #112

Merged
merged 1 commit into from
Jun 17, 2024
Merged

Fix parsing yaml spec files containing + as value #112

merged 1 commit into from
Jun 17, 2024

Conversation

skwashd
Copy link
Contributor

@skwashd skwashd commented Jun 17, 2024
edited
Loading

See yaml/pyyaml#89 for more info

nullify-proactiveops[bot]
nullify-proactiveops bot reviewed Jun 17, 2024
View reviewed changes
@nullify-proactiveops
Copy link

nullify-proactiveops bot commented Jun 17, 2024
edited
Loading

Nullify Code Vulnerabilities

1 findings found in this pull request

🔴 CRITICAL 🟡 HIGH 🔵 MEDIUM ⚪ LOW
0 1 0 0

You can find a list of all findings here

@skwashd skwashd changed the title fix yaml parser Fix parsing yaml spec files containing + as value Jun 17, 2024
nullify-proactiveops[bot]
nullify-proactiveops bot reviewed Jun 17, 2024
View reviewed changes
picofun/spec.py
try:
return yaml.safe_load(content)
return yaml.load(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nullify Code Language: Python 🟡 HIGH Severity CWE-20

Yaml load

Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
Read more:
https://cwe.mitre.org/data/definitions/20.html

Here's how you might fix this potential vulnerability

The vulnerability is due to the use of yaml.load, which can execute arbitrary code if the YAML content is malicious. The fix replaces yaml.load with yaml.safe_load, which safely parses the YAML without executing arbitrary code. This change ensures that the application only parses data structures from the YAML and does not execute any embedded code, mitigating the risk of arbitrary code execution.

Please note that AI auto-fixes are currently experimental

Suggested change
return yaml.load(
return yaml.safe_load(content)

Powered by nullify.ai

Reply with /nullify to interact with me like another developer
(you will need to refresh the page for updates)

@skwashd skwashd merged commit 6ee98fa into main Jun 17, 2024
5 checks passed
@skwashd skwashd deleted the fix-yaml-parser branch June 17, 2024 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nullify-proactiveops nullify-proactiveops[bot] nullify-proactiveops[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@skwashd