Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

temp #32

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

temp #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dcdbf3b
temp
vivekkhimani May 17, 2023
92d257f
test
vivekkhimani May 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
import yaml


yaml.load(Loader=yaml.Loader)

yaml.unsafe_load("something")
14 changes: 14 additions & 0 deletions torchfl-org-private-rule.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
rules:
- id: pytorch-consistent-lr-scheduler-step
languages:
- python
message: >
yada test change Call learning rate scheduler.step() consistently either before or after
the optimizer.step() to ensure proper learning rate updates. Idk does it
generate a new rule version? maybe something else?
pattern: |
$OPTIMIZER.step()
...
$SCHEDULER.step()
severity: WARNING

54 changes: 54 additions & 0 deletions torchfl-org-yaml-rule-test-1.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
rules:
- id: avoid-pyyaml-load-1
metadata:
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-502: Deserialization of Untrusted Data"
references:
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://nvd.nist.gov/vuln/detail/CVE-2017-18342
category: security
technology:
- pyyaml
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
rule-origin-note: published from torchfl-org-yaml-rule-test.yaml in
[email protected]:torchfl-org/torchfl.git
languages:
- python
message: yadDetected a possible YAML deserialization vulnerability.
`yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader`
are all known to be unsafe methods of deserializing YAML. An attacker with
control over the YAML input could create special YAML input that allows
the attacker to run arbitrary Python code. This would allow the attacker
to steal files, download and install malware, or otherwise take over the
machine.ahh.blah Use `yaml.safe_load` or `yaml.SafeLoader` instead. blah blah.blah
fix-regex:
regex: unsafe_load
replacement: safe_load
count: 1
severity: ERROR
patterns:
- pattern-inside: |
import yaml
...
- pattern-not-inside: |
$YAML = ruamel.yaml.YAML(...)
...
- pattern-either:
- pattern: yaml.unsafe_load(...)
- pattern: yaml.load(..., Loader=yaml.Loader, ...)
- pattern: yaml.load(..., Loader=yaml.UnsafeLoader, ...)
- pattern: yaml.load(..., Loader=yaml.CLoader, ...)
- pattern: yaml.load_all(..., Loader=yaml.Loader, ...)
- pattern: yaml.load_all(..., Loader=yaml.UnsafeLoader, ...)
- pattern: yaml.load_all(..., Loader=yaml.CLoader, ...)

52 changes: 52 additions & 0 deletions torchfl-org-yaml-rule-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
rules:
- id: avoid-pyyaml-load
metadata:
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
cwe:
- "CWE-502: Deserialization of Untrusted Data"
references:
- https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
- https://nvd.nist.gov/vuln/detail/CVE-2017-18342
category: security
technology:
- pyyaml
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
rule-origin-note: published from torchfl-org-yaml-rule-test.yaml in
[email protected]:torchfl-org/torchfl.git
languages:
- python
message: fukkkdsafsadfadsadddblahDetected a possible YAML deserialization vulnerability.
`yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader`
are all known to be unsafe methods of deserializing YAML. An attacker with
control over the YAML input could create special YAML input that allows
the attacker to run arbitrary Python code. This would allow the attacker
to steal files, download and install malware, or otherwise take over the
machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead. blah blah.blah
fix-regex:
regex: unsafe_load
replacement: safe_load
count: 1
severity: ERROR
patterns:
- pattern-inside: |
import yaml
...
- pattern-not-inside: |
$YAML = ruamel.yaml.YAML(...)
...
- pattern-either:
- pattern: yaml.load(..., Loader=yaml.Loader, ...)
- pattern: yaml.load(..., Loader=yaml.UnsafeLoader, ...)
- pattern: yaml.load(..., Loader=yaml.CLoader, ...)
- pattern: yaml.load_all(..., Loader=yaml.Loader, ...)
- pattern: yaml.load_all(..., Loader=yaml.UnsafeLoader, ...)
- pattern: yaml.load_all(..., Loader=yaml.CLoader, ...)