ansible-later/env_27/lib/python2.7/site-packages/bandit/plugins/yaml_load.py
Robert Kaussow 10aaa8e7e3 fix pytest
2019-04-11 15:56:20 +02:00

72 lines
2.4 KiB
Python

# -*- coding:utf-8 -*-
#
# Copyright (c) 2016 Rackspace, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
r"""
===============================
B506: Test for use of yaml load
===============================
This plugin test checks for the unsafe usage of the ``yaml.load`` function from
the PyYAML package. The yaml.load function provides the ability to construct
an arbitrary Python object, which may be dangerous if you receive a YAML
document from an untrusted source. The function yaml.safe_load limits this
ability to simple Python objects like integers or lists.
Please see
http://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML for more information
on ``yaml.load`` and yaml.safe_load
:Example:
>> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of
arbitrary objects. Consider yaml.safe_load().
Severity: Medium Confidence: High
Location: examples/yaml_load.py:5
4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
5 y = yaml.load(ystr)
6 yaml.dump(y)
.. seealso::
- http://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML
.. versionadded:: 1.0.0
"""
import bandit
from bandit.core import test_properties as test
@test.test_id('B506')
@test.checks('Call')
def yaml_load(context):
imported = context.is_module_imported_exact('yaml')
qualname = context.call_function_name_qual
if imported and isinstance(qualname, str):
qualname_list = qualname.split('.')
func = qualname_list[-1]
if 'yaml' in qualname_list and func == 'load':
if not context.check_call_arg_value('Loader', 'SafeLoader'):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text="Use of unsafe yaml load. Allows instantiation of"
" arbitrary objects. Consider yaml.safe_load().",
lineno=context.node.lineno,
)