security scan reported insecure yaml load method usage in latest cloud-init code

Bug #1849640 reported by Kumar Biplab on 2019-10-24
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Undecided
Unassigned

Bug Description

security scan reported insecure yaml load method usage in latest cloud-init code

PyYAML's yaml.load() method is unsafe and can execute code in yaml files.we can use safe_load() for safer option.

Here is the lines where it is used in current code.

1.cloudinit\cmd\devel\net_convert.py at line 81
yaml.load(net_data)

2. \cloudinit\safeyaml.py at line 28
yaml.load(blob,Loader=_CustomSafeLoader)

3. \cloudinit\util.py at line 950
converted = safeyaml.load(blob)

Related branches

Scott Moser (smoser) wrote :

I think this can be made public.
The fix is in the tree for the net_convert use of load.

That was the only code that was using 'load' without Loader=_CustomSafeLoader.
The result of which would be limited to executing code as the user who executed
'cloud-init devel net-convert'.

Ryan Harper (raharper) wrote :

Thanks for taking the time to make cloud-init more secure. At this time we do not believe this is a security issue. Cloud-init does have a safe yaml parser and your scan did fine one call-site which was not using the existing safe yaml parser, though not in primary execution path of cloud-init. This has already been patched and merged upstream.

--
This bug mentions use of yaml.load() and suggests using safeload() instead and worries about executing code during the yaml.load() operation.

1. cloudinit/cmd/devel/net_convert.py: yaml.load(net_data) Line 81
The method is called by unprivileged users on a system; any code execution would run with permissions of that user. This method is not called or used during system boot.
This call to yaml.load should be replaced with a call to cloudinit.util.load_yaml() which uses cloudinit.safeyaml loader which uses yaml.SafeLoader.

2. cloudinit/safeyaml.py:yaml.load(blob,Loader=_CustomSafeLoader)
This use of yaml.load specifies a Loader that is not the default Loader. _CustomSafeLoader(), defined in the same file, is a subclass of yaml.SafeLoader which is the loader used by yaml.safeload()

3. cloudinit/util.py at line 950, converted = safeyaml.load(blob)
This code uses cloudinit’s safeyaml.load() method which uses yaml.SafeLoader

Changed in cloud-init:
status: New → Fix Committed
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers