Insecure Deserialization in YAML
Description
The application uses an unsafe version of `yaml` load, which is vulnerable to deserialization attacks. Deserialization attacks exploit the process of reading serialized data and turning it back into an object. By constructing malicious objects and serializing them, an adversary may attempt to inject code or exploit mass assignment.
Examples
Insecure Code
python
yaml.load("'''
user:
name: 'test user'
''')Secure Code
python
yaml.safe_load("'''
user:
name: 'test user'
''')
user_object = {'user': {'name': intermediary_object['user']['name'], 'is_admin': False}}Remediation
Use `safe_load()` or call `yaml.load()` with the `Loader` argument set to `yaml.SafeLoader`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0140 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | deserialization, yaml |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |