Split yaml blacklist check into its own file

Allow SafeLoader to be passed to the Loader parameter Closes-bug: 1508490 Change-Id: I7459577e175b5f2a623316e22c63b2d42ba1db25
2016-01-14 12:02:59 -06:00 · 2016-01-14 12:02:59 -06:00 · b09c0e38c6
commit b09c0e38c6
parent 398eddfaa7
4 changed files with 71 additions and 7 deletions
--- a/bandit/plugins/blacklist_calls.py
+++ b/bandit/plugins/blacklist_calls.py
@ -175,12 +175,6 @@ def gen_config(name):
            'https://wiki.openstack.org/wiki/OSSN/OSSN-0033'
            ))

-        sets.append(_build_conf_dict(
-            'yaml_load', ['yaml.load'],
-            'Use of unsafe yaml load. Allows instantiation of arbitrary '
-            'objects. Consider yaml.safe_load().'
-            ))
-
        sets.append(_build_conf_dict(
            'urllib_urlopen',
            ['urllib.urlopen',
--- a/bandit/plugins/yaml_load.py
+++ b/bandit/plugins/yaml_load.py
@ -0,0 +1,67 @@
+# -*- coding:utf-8 -*-
+#
+# Copyright (c) 2016 Rackspace, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+r"""
+===============================
+B506: Test for use of yaml load
+===============================
+
+This plugin test checks for the unsafe usage of the ``yaml.load`` function from
+the PyYAML package. The yaml.load function provides the ability to construct
+an arbitrary Python object, which may be dangerous if you receive a YAML
+document from an untrusted source. The function yaml.safe_load limits this
+ability to simple Python objects like integers or lists.
+
+Please see
+http://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML for more information
+on ``yaml.load`` and yaml.safe_load
+
+:Example:
+
+    >> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of
+       arbitrary objects. Consider yaml.safe_load().
+       Severity: Medium   Confidence: High
+       Location: examples/yaml_load.py:5
+    4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
+    5 y = yaml.load(ystr)
+    6 yaml.dump(y)
+
+
+.. seealso::
+
+ - http://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML
+
+.. versionadded:: 1.0.0
+
+"""
+
+import bandit
+from bandit.core import test_properties as test
+
+
+@test.test_id('B506')
+@test.checks('Call')
+def yaml_load(context):
+    if context.is_module_imported_like('yaml'):
+        if context.call_function_name_qual.endswith('.load'):
+            if not context.check_call_arg_value('Loader', 'SafeLoader'):
+                return bandit.Issue(
+                    severity=bandit.MEDIUM,
+                    confidence=bandit.HIGH,
+                    text="Use of unsafe yaml load. Allows instantiation of"
+                         " arbitrary objects. Consider yaml.safe_load().",
+                    lineno=context.node.lineno,
+                )
--- a/examples/yaml_load.py
+++ b/examples/yaml_load.py
@ -4,4 +4,4 @@ def test_yaml_load():
    ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
    y = yaml.load(ystr)
    yaml.dump(y)
-
+    y = yaml.load(ystr, Loader=yaml.SafeLoader)
--- a/setup.cfg
+++ b/setup.cfg
@ -107,6 +107,9 @@ bandit.plugins =
    # bandit/plugins/weak_cryptographic_key.py
    weak_cryptographic_key = bandit.plugins.weak_cryptographic_key:weak_cryptographic_key

+    # bandit/plugins/yaml_load.py
+    yaml_load = bandit.plugins.yaml_load:yaml_load
+
 [files]
 data_files =
    bandit =