False positive when yaml.load is used with "Loader=yaml.SafeLoader"
Bug #1508490 reported by
Cyril Roelandt
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Bandit |
Fix Released
|
Medium
|
Matt Valdes | ||
Bug Description
Consider this piece of code:
yaml.load("dt: !!python/
Bandit will report an issue (use of unsafe yaml load). A possible fix is:
yaml.safe_load("dt: !!python/
Bandit will not complain when reading the above line. But it will emit a warning for the following line:
dt = yaml.load("dt: !!python/
Even though it is exactly as safe as using "yaml.safe_load".
Bandit should not emit a warning when "yaml.load" is used with "Loader=
Revision history for this message
| Travis McPeak (travis-mcpeak) wrote | #1 |
| Changed in bandit: | |
| status: | New → Confirmed |
Revision history for this message
| Tim Kelsey (tim-kelsey) wrote | #2 |
| Changed in bandit: | |
| assignee: | nobody → Tim Kelsey (tim-kelsey) |
| importance: | Undecided → Medium |
| Changed in bandit: | |
| assignee: | Tim Kelsey (tim-kelsey) → Matt Valdes (matthew-valdes) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to bandit (master) | #3 |
| Changed in bandit: | |
| status: | Confirmed → In Progress |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to bandit (master) | #4 |
| Changed in bandit: | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
Good point