Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix unsafe yaml load on dynparam #202

Open
wants to merge 3 commits into
base: noetic-devel
Choose a base branch
from
Open

Fix unsafe yaml load on dynparam #202

wants to merge 3 commits into from

Conversation

florcabral
Copy link

The dynparam script processes unsanitized parameter input using a known unsafe function of the PyYaml library, yaml.load.
As explained in the library's documentation: "It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function." This category of issue is also recognized as CWE-502: Deserialization of Untrusted Data.

This PR switches to using the yaml.safe_load alternative in the do_set() and do_load() functions. It includes a new test for the dynparam script, which also serves as a proof-of-concept for the issue.

The test in test/test_dynparam.py attempts to load a .yaml file with an insecure input that calls the os.system module. You can verify that the same input will be executed successfully with the current code, in this case returning the contents of the local /etc/passwd file. The yaml.safe_load function correctly blocks the insecure input.

Signed-off by Florencia Cabral [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@florcabral