security scan reported insecure yaml load method usage in latest cloud-init code

Bug #1849640 reported by Kumar Biplab
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released

Bug Description

security scan reported insecure yaml load method usage in latest cloud-init code

PyYAML's yaml.load() method is unsafe and can execute code in yaml files.we can use safe_load() for safer option.

Here is the lines where it is used in current code.

1.cloudinit\cmd\devel\ at line 81

2. \cloudinit\ at line 28

3. \cloudinit\ at line 950
converted = safeyaml.load(blob)

Related branches

Revision history for this message
Scott Moser (smoser) wrote :

I think this can be made public.
The fix is in the tree for the net_convert use of load.

That was the only code that was using 'load' without Loader=_CustomSafeLoader.
The result of which would be limited to executing code as the user who executed
'cloud-init devel net-convert'.

Revision history for this message
Ryan Harper (raharper) wrote :

Thanks for taking the time to make cloud-init more secure. At this time we do not believe this is a security issue. Cloud-init does have a safe yaml parser and your scan did fine one call-site which was not using the existing safe yaml parser, though not in primary execution path of cloud-init. This has already been patched and merged upstream.

This bug mentions use of yaml.load() and suggests using safeload() instead and worries about executing code during the yaml.load() operation.

1. cloudinit/cmd/devel/ yaml.load(net_data) Line 81
The method is called by unprivileged users on a system; any code execution would run with permissions of that user. This method is not called or used during system boot.
This call to yaml.load should be replaced with a call to cloudinit.util.load_yaml() which uses cloudinit.safeyaml loader which uses yaml.SafeLoader.

2. cloudinit/,Loader=_CustomSafeLoader)
This use of yaml.load specifies a Loader that is not the default Loader. _CustomSafeLoader(), defined in the same file, is a subclass of yaml.SafeLoader which is the loader used by yaml.safeload()

3. cloudinit/ at line 950, converted = safeyaml.load(blob)
This code uses cloudinit’s safeyaml.load() method which uses yaml.SafeLoader

Changed in cloud-init:
status: New → Fix Committed
information type: Private Security → Public
Revision history for this message
Chad Smith (chad.smith) wrote : Fixed in cloud-init version 19.2-70.

This bug is believed to be fixed in cloud-init in version 19.2-70. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers