mirror of
https://github.com/thegeeklab/ansible-later.git
synced 2024-11-15 01:30:40 +00:00
72 lines
2.4 KiB
Python
72 lines
2.4 KiB
Python
# -*- coding:utf-8 -*-
|
|
#
|
|
# Copyright (c) 2016 Rackspace, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
r"""
|
|
===============================
|
|
B506: Test for use of yaml load
|
|
===============================
|
|
|
|
This plugin test checks for the unsafe usage of the ``yaml.load`` function from
|
|
the PyYAML package. The yaml.load function provides the ability to construct
|
|
an arbitrary Python object, which may be dangerous if you receive a YAML
|
|
document from an untrusted source. The function yaml.safe_load limits this
|
|
ability to simple Python objects like integers or lists.
|
|
|
|
Please see
|
|
http://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML for more information
|
|
on ``yaml.load`` and yaml.safe_load
|
|
|
|
:Example:
|
|
|
|
>> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of
|
|
arbitrary objects. Consider yaml.safe_load().
|
|
Severity: Medium Confidence: High
|
|
Location: examples/yaml_load.py:5
|
|
4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
|
|
5 y = yaml.load(ystr)
|
|
6 yaml.dump(y)
|
|
|
|
|
|
.. seealso::
|
|
|
|
- http://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML
|
|
|
|
.. versionadded:: 1.0.0
|
|
|
|
"""
|
|
|
|
import bandit
|
|
from bandit.core import test_properties as test
|
|
|
|
|
|
@test.test_id('B506')
|
|
@test.checks('Call')
|
|
def yaml_load(context):
|
|
imported = context.is_module_imported_exact('yaml')
|
|
qualname = context.call_function_name_qual
|
|
if imported and isinstance(qualname, str):
|
|
qualname_list = qualname.split('.')
|
|
func = qualname_list[-1]
|
|
if 'yaml' in qualname_list and func == 'load':
|
|
if not context.check_call_arg_value('Loader', 'SafeLoader'):
|
|
return bandit.Issue(
|
|
severity=bandit.MEDIUM,
|
|
confidence=bandit.HIGH,
|
|
text="Use of unsafe yaml load. Allows instantiation of"
|
|
" arbitrary objects. Consider yaml.safe_load().",
|
|
lineno=context.node.lineno,
|
|
)
|