➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2021-07-28 06:37 by joker, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| 1_9WKsHGuOMbSsXo24PZepuw.png | joker, 2021-07-28 06:39 | |||
| Messages (4) | |||
|---|---|---|---|
| msg398347 - (view) | Author: 🖤Black Joker🖤 (joker) | Date: 2021-07-28 06:37 | |
There are a number of techniques for reading external files and loading their content into (de/serializing) Python objects. Pickle is one such powerful serialization technique that is inherently risky, especially when an attacker tampers with serialized data. Data from external sources is never secure. As a rule of thumb, never unpickle or parse data from an untrusted source into Python objects. This is because an attacker can use a subprocess module to execute arbitrary commands during pickling. Additionally, YAML files from user input can leave your application open to attacks. To avoid this, use PyYAML safe_loadfunction (yaml.safe_load) to handle YAML serialization. Here is a simple custom code that can be used to find all unsafe yaml.load functions in your codebase. |
|||
| msg398349 - (view) | Author: Steven D'Aprano (steven.daprano) *  |
Date: 2021-07-28 06:51 | |
Hi Joker. Please don't post screenshots and images of code. It is difficult or impossible for the visually impaired and blind to view with a screen reader, and as we don't use Photoshop to edit code, it makes it hard to copy and run the code. Your code is full of syntax errors. Out of three lines of code, I count that two of them will fail with a SyntaxError and the third is probably going to fail with ImportError. What if, instead of calling `yaml.load`, I use something like `from yaml import load` or `import yaml as y` instead? |
|||
| msg398350 - (view) | Author: 🖤Black Joker🖤 (joker) | Date: 2021-07-28 07:04 | |
Hi Steven D'Aprano,
well first of all thank you to posting reply on this. Could please fix this follwoing errors of the code?
import python
from CallNode call
where call = value::named("yaml.load").getACall()
where call.getrNode(), "yaml.load function is unsafe when loading data from untrusted sources. Use yaml.safe_load instead"
|
|||
| msg398353 - (view) | Author: Steven D'Aprano (steven.daprano) * |
Date: 2021-07-28 07:20 | |
This is a bug tracker, not a community help desk or forum to discuss code you would like to write but don't know how. I suggest you subscribe to the Python-List mailing list, or go to Reddit's r/learnpython, as post there to discuss this. But you might want to do the Python tutorial first, because the code you have written is not even close to valid Python. https://mail.python.org/mailman/listinfo/python-list https://www.reddit.com/r/learnpython/ https://docs.python.org/3/tutorial/index.html |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:48 | admin | set | github: 88920 |
| 2021-07-28 07:20:21 | steven.daprano | set | status: open -> closed resolution: wont fix -> not a bug messages: + msg398353 stage: resolved |
| 2021-07-28 07:04:52 | joker | set | resolution: wont fix messages: + msg398350 |
| 2021-07-28 06:51:30 | steven.daprano | set | nosy:
+ steven.daprano messages: + msg398349 |
| 2021-07-28 06:39:00 | joker | set | files: + 1_9WKsHGuOMbSsXo24PZepuw.png |
| 2021-07-28 06:37:24 | joker | create | |