False positive when yaml.load is used with "Loader=yaml.SafeLoader"
Bug #1508490 reported by
Cyril Roelandt
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
Medium
|
Matt Valdes |
Bug Description
Consider this piece of code:
yaml.load("dt: !!python/
Bandit will report an issue (use of unsafe yaml load). A possible fix is:
yaml.safe_load("dt: !!python/
Bandit will not complain when reading the above line. But it will emit a warning for the following line:
dt = yaml.load("dt: !!python/
Even though it is exactly as safe as using "yaml.safe_load".
Bandit should not emit a warning when "yaml.load" is used with "Loader=
Changed in bandit: | |
assignee: | Tim Kelsey (tim-kelsey) → Matt Valdes (matthew-valdes) |
To post a comment you must log in.
Good point