Please use yaml.safe_load

Bug #1015818 reported by Tv
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Scott Moser

Bug Description

yaml.load allows arbitrary code execution, just like Python pickle. Please use yaml.safe_load for all input.

http://docs.python.org/library/pickle

Related branches

Revision history for this message
Scott Moser (smoser) wrote :

I generally agree that its a good idea to use the safe_load as we're not expecting to execute code.

However, anything input in user-data or other config has the opportunity by design to cause code execution. Ie, you can add part-handlers, boothooks or runcmd.

is there some where specific where cloud-init is doing a yaml.load on untrusted input?

Changed in cloud-init:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Scott Moser (smoser)
Revision history for this message
Tv (tv42) wrote :

I don't see anything exploitable there (or I'd have filed a security), it just makes me uncomfortable and doubt other aspects of the design. Let's call it a code smell. I see a lot of promise in cloud-init, but at the same time it's.. quite messy and sprawling.

Revision history for this message
Scott Moser (smoser) wrote : Re: [Bug 1015818] Re: Please use yaml.safe_load

On Thu, 21 Jun 2012, Tv wrote:

> I don't see anything exploitable there (or I'd have filed a security),
> it just makes me uncomfortable and doubt other aspects of the design.
> Let's call it a code smell. I see a lot of promise in cloud-init, but at
> the same time it's.. quite messy and sprawling.

thanks for being honest. :).
I'll commit the safe_load change.

Josh Harlow has been working on cleaning some of the messy/sprawling up.
https://code.launchpad.net/~cloud-init/cloud-init/rework

Any/all input on the changes there are welcome. Ping me in IRC, or join
cloud-init team in launchpad.

Thanks for the input.

Revision history for this message
Scott Moser (smoser) wrote :

fixed in revno 562.

Changed in cloud-init:
status: Triaged → Fix Committed
Revision history for this message
Joshua Harlow (harlowja) wrote :

Please ask me any questions as well. I have tried to clean it up, organize it into stages, add some goodness and all that.

I added a description @ https://code.launchpad.net/~cloud-init/cloud-init/rework of some of the work done there.

Feel free to check it out. I'll fix this one line in the rework to use the safe load as well.

Scott Moser (smoser)
Changed in cloud-init:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers