codeql/2021-02-10-yaml-more-loading-functions.md at z80coder/query-pack-release-candidate-2

mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00

Files

Rasmus Wriedt Larsen 6e2445cce6 Python: Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>

2021-02-23 15:19:29 +01:00

lgtm,codescanning

Improved modeling of the PyYAML PyPI package (imported as yaml) now includes safe_load, unsafe_load, and full_load (as well as the ..._load_all functions). In the current version of PyYAML (5.4.1), only safe_load and safe_load_all are known to be safe from code execution exploits. Consequently, calls to the other functions are modeled as sinks of the Deserializing untrusted input (py/unsafe-deserialization) query.