rspec/rules/S5135/python/how-to-fix-it/yaml.adoc

== How to fix it in PyYAML

=== Code examples

The following code is vulnerable to deserialization attacks because it
deserializes untrusted data without validating it first.

==== Noncompliant code example

[source,python,diff-id=11,diff-type=noncompliant]
----
def unsafe():
    obj = yaml.load(request.args.get("object"), Loader=yaml.Loader)
    return str(obj["status"] == "OK")
----

==== Compliant solution

[source,python,diff-id=11,diff-type=compliant]
----
def safe():
    obj = yaml.safe_load(request.args.get("object"))
    return str(obj["status"] == "OK")
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/safer-serialization.adoc[]

The example compliant solution uses the `safe_load` method in place of the less
secure `load` one. It disables loading arbitrary Python object and thus
prevents the execution of arbitrary or dangerous functions.

Note that the same level of security can be reached with the `load` method as
soon as a safe `Loader` component is passed to it.

[source,python]
----
yaml.load(untrusted, Loader=yaml.SafeLoader)
----

include::../../common/fix/integrity-check.adoc[]
Add checks for education format (#1607) 2023-03-07 17:16:47 +01:00			`== How to fix it in PyYAML`

			`=== Code examples`
Modify rule S5135: Change text to the education framework format [Python][APPSEC-228] (#1365) 2022-11-04 09:20:52 +01:00
			`The following code is vulnerable to deserialization attacks because it`
			`deserializes untrusted data without validating it first.`

			`==== Noncompliant code example`

Diff blocks: fix incorrect use for python (#2795) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. An obvious extra use of diff blocks was removed. 2023-08-21 15:22:49 +02:00			`[source,python,diff-id=11,diff-type=noncompliant]`
Modify rule S5135: Change text to the education framework format [Python][APPSEC-228] (#1365) 2022-11-04 09:20:52 +01:00			`----`
			`def unsafe():`
			`obj = yaml.load(request.args.get("object"), Loader=yaml.Loader)`
			`return str(obj["status"] == "OK")`
			`----`

			`==== Compliant solution`

Diff blocks: fix incorrect use for python (#2795) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. An obvious extra use of diff blocks was removed. 2023-08-21 15:22:49 +02:00			`[source,python,diff-id=11,diff-type=compliant]`
Modify rule S5135: Change text to the education framework format [Python][APPSEC-228] (#1365) 2022-11-04 09:20:52 +01:00			`----`
			`def safe():`
			`obj = yaml.safe_load(request.args.get("object"))`
			`return str(obj["status"] == "OK")`
			`----`

			`=== How does this work?`

			`include::../../common/fix/introduction.adoc[]`

			`include::../../common/fix/safer-serialization.adoc[]`

			The example compliant solution uses the `safe_load` method in place of the less
Diff blocks: fix incorrect use for python (#2795) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. An obvious extra use of diff blocks was removed. 2023-08-21 15:22:49 +02:00			secure `load` one. It disables loading arbitrary Python object and thus
Modify rule S5135: Change text to the education framework format [Python][APPSEC-228] (#1365) 2022-11-04 09:20:52 +01:00			`prevents the execution of arbitrary or dangerous functions.`

			Note that the same level of security can be reached with the `load` method as
			soon as a safe `Loader` component is passed to it.

Diff blocks: fix incorrect use for python (#2795) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. An obvious extra use of diff blocks was removed. 2023-08-21 15:22:49 +02:00			`[source,python]`
Modify rule S5135: Change text to the education framework format [Python][APPSEC-228] (#1365) 2022-11-04 09:20:52 +01:00			`----`
			`yaml.load(untrusted, Loader=yaml.SafeLoader)`
			`----`

			`include::../../common/fix/integrity-check.adoc[]`