Skip to content

Replace yaml.load with yaml.safe_load for Enhanced Security #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 31, 2025
Merged

Replace yaml.load with yaml.safe_load for Enhanced Security #150

merged 1 commit into from
May 31, 2025

Conversation

aplastunov
Copy link
Contributor

This pull request addresses a security vulnerability in our codebase by replacing the potentially unsafe yaml.load function with the safer yaml.safe_load. The yaml.load function, when used with untrusted input, can execute arbitrary code, leading to potential security risks. By switching to yaml.safe_load, we ensure that only a subset of the YAML language is parsed, effectively mitigating these risks.

Changes Made:

Replaced all instances of yaml.load with yaml.safe_load in the script. Updated the relevant test cases to align with the safe_load usage. Benefits:

Improves security by preventing arbitrary code execution. Maintains functionality while reducing risk from untrusted YAML inputs.

@aplastunov
Replace yaml.load with yaml.safe_load for Enhanced Security
dc7aa6c 
This pull request addresses a security vulnerability in our codebase by replacing the potentially unsafe yaml.load function with the safer yaml.safe_load. The yaml.load function, when used with untrusted input, can execute arbitrary code, leading to potential security risks. By switching to yaml.safe_load, we ensure that only a subset of the YAML language is parsed, effectively mitigating these risks.

Changes Made:

Replaced all instances of yaml.load with yaml.safe_load in the script.
Updated the relevant test cases to align with the safe_load usage.
Benefits:

Improves security by preventing arbitrary code execution.
Maintains functionality while reducing risk from untrusted YAML inputs.
@dfana01
Copy link
Contributor

dfana01 commented May 30, 2025

This pull request addresses a security vulnerability in our codebase by replacing the potentially unsafe yaml.load function with the safer yaml.safe_load. The yaml.load function, when used with untrusted input, can execute arbitrary code, leading to potential security risks. By switching to yaml.safe_load, we ensure that only a subset of the YAML language is parsed, effectively mitigating these risks.

Changes Made:

Replaced all instances of yaml.load with yaml.safe_load in the script. Updated the relevant test cases to align with the safe_load usage. Benefits:

Improves security by preventing arbitrary code execution. Maintains functionality while reducing risk from untrusted YAML inputs.

Execute the pipeline locally to unblock the PR; I will check the issue with the open-source team.

adding 'pinterest_api_sdk-5302025191108.dist-info/WHEEL'
adding 'pinterest_api_sdk-5302025191108.dist-info/top_level.txt'
adding 'pinterest_api_sdk-5302025191108.dist-info/RECORD'
removing build/bdist.macosx-15.0-arm64/wheel
Successfully built pinterest_api_sdk-5302025191107.tar.gz and pinterest_api_sdk-5302025191108-py3-none-any.whl
ls -l dist
total 192
-rw-r--r--@ 1 dfana  staff  41356 May 30 19:11 pinterest_api_sdk-5302025191107.tar.gz
-rw-r--r--@ 1 dfana  staff  53066 May 30 19:11 pinterest_api_sdk-5302025191108-py3-none-any.whl
twine upload -r testpypi dist/*
Uploading distributions to https://test.pypi.org/legacy/
Enter your API token: 
Uploading pinterest_api_sdk-5302025191108-py3-none-any.whl
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 66.3/66.3 kB • 00:00 • 173.3 MB/s
Uploading pinterest_api_sdk-5302025191107.tar.gz
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 54.6/54.6 kB • 00:00 • 147.5 MB/s

View at:
https://test.pypi.org/project/pinterest-api-sdk/5302025191107/
https://test.pypi.org/project/pinterest-api-sdk/5302025191108/

@dfana01
Copy link
Contributor

dfana01 commented May 31, 2025
edited
Loading

This pull request addresses a security vulnerability in our codebase by replacing the potentially unsafe yaml.load function with the safer yaml.safe_load. The yaml.load function, when used with untrusted input, can execute arbitrary code, leading to potential security risks. By switching to yaml.safe_load, we ensure that only a subset of the YAML language is parsed, effectively mitigating these risks.

Changes Made:

Replaced all instances of yaml.load with yaml.safe_load in the script. Updated the relevant test cases to align with the safe_load usage. Benefits:

Improves security by preventing arbitrary code execution. Maintains functionality while reducing risk from untrusted YAML inputs.

image

@dfana01 dfana01 merged commit 8ff5777 into pinterest:main May 31, 2025
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devinlundberg devinlundberg devinlundberg approved these changes

@dfana01 dfana01 dfana01 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aplastunov @dfana01 @devinlundberg