Original Post: Fully loaded: testing vulnerable PyYAML versions
The content summarizes the vulnerabilities of the PyYAML API across various versions:
- The
yaml.Loaderclass is unsafe in all released versions of PyYAML. - Methods like
yaml.load(...),yaml.full_load(...)and their_allvariants have become safe from known exploits after version 5.4. yaml.safe_load(...)is safe in all versions.
The article discusses a GitHub user’s pull request to update a Semgrep rule for detecting unsafe yaml.full_load(...) usage and the subsequent analysis of how PyYAML’s API has evolved.
Key points:
yaml.load(...)has been known to pose deserialization vulnerabilities.- PyYAML patched certain vulnerabilities in versions 5.1 and 5.4.
- Testing methodologies and payloads were used to ascertain the safety of different APIs across versions.
- Recommendations include using
safe_loadfor better security or updating to safer versions if using older PyYAML packages. - The Semgrep rule update now alerts on APIs vulnerable after version 5.4 to improve security checks.
Additionally, the author encourages a hands-on approach to validate software safety and invites readers to join a community Slack for further engagement.
Go here to read the Original Post