yaml.load
function detected BAN-B50662
63 def parse_subs_config(self, config) -> list:
64 try:
65 clash_cfg = yaml.load(config, Loader=yaml.FullLoader)66 except Exception:
67 logger.exception("Not Clash config.")
68 return []
72 def parse_gui_config(self, filename: str) -> list:
73 with open(filename, "r+", encoding="utf-8") as f:
74 try:
75 clash_cfg = yaml.load(f, Loader=yaml.FullLoader)76 except Exception:
77 logger.exception("Not Clash config.")
78 return []
75 def parse_gui_config(self, filename: str) -> list:
76 with open(filename, "r+", encoding="utf-8") as f:
77 try:
78 clash_cfg = yaml.load(f, Loader=yaml.FullLoader)79 except Exception:
80 logger.exception("Not Clash config.")
81 return []
63
64 def parse_subs_config(self, config) -> list:
65 try:
66 clash_cfg = yaml.load(config, Loader=yaml.FullLoader)67 except Exception:
68 logger.exception("Not Clash Subscription.")
69 return []
215 return _config
216
217 def parse_config(self, clash_cfg):
218 clash_cfg = yaml.load(clash_cfg, Loader=yaml.FullLoader)219 for cfg in clash_cfg["proxies"]:
220 _type = cfg.get("type", "N/A").lower()
221 if _type in "ss":
It is not safe to call yaml.load with any data received from an untrusted source.
The yaml.load
function provides the ability to construct an arbitrary Python object, which may be dangerous if you receive a YAML document from an untrusted source.
Deserialization of untrusted data exposes application to:
It is recommended to use yaml.safe_load
. The function yaml.safe_load
limits this ability to simple Python objects like integers or lists.
from flask import request
import yaml
@app.route('/yaml')
def load():
data = request.GET.get("data")
conf = yaml.load(data) # Insecure. Avoid using yaml.load
from flask import request
import yaml
@app.route('/yaml')
def load():
data = request.GET.get("data")
conf = yaml.safe_load(data) # Secure