Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upMitigate unsafe yaml loading #76
Merged
Conversation
|
Test codes only, LGTM |
…ern_B506
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
This is to mitigate security issue
Use of unsafe yaml loadfound in https://console.muse.dev/result/ayorra/skywalking-python/01EK1BP85DHDEV2RJTTEYFNV9G?tab=resultsAccording to https://pyyaml.org/wiki/PyYAMLDocumentation
Ideally we should always use safe_load in place of load when the source of yaml can be untrusted (which IS the case because it's from the web)
But I understand that we also want to use CLoader for the sake of performance.
This is a mitigation following https://github.com/yaml/pyyaml/blob/2f463cf5b0e98a52bc20e348d1e69761bf263b86/tests/lib/test_yaml_ext.py#L37