Closed Bug 1469999 Opened Last year Closed Last year

Don't use yaml.load()

Categories

(Firefox Build System :: Task Configuration, task)

task
Not set

Tracking

(firefox-esr60 fixed, firefox63 fixed)

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr60 --- fixed
firefox63 --- fixed

People

(Reporter: gps, Assigned: gps)

Details

Attachments

(5 files)

yaml.load() can lead to eval() of arbitrary code. We should be using yaml.safe_load()... for safety.
yaml.load() can evaluate arbitrary Python code via syntax such as
`!!python/object/apply:os.system`. Seriously.

Let's switch taskgraph to yaml.safe_load(), which is reasonable
about limiting magic.
yaml.load() is unsafe and can lead to arbitrary code execution via
syntax like `!!python/object/apply:os.system`. yaml.safe_load() is
more reasonable.
yaml.load() isn't safe and can lead to arbitrary code execution for
untrusted input. While probably not an issue here, I'm trying to
rid the tree of all yaml.load() instances so we can add a lint to
ban its usage.
yaml.load() can lead to arbitrary code execution because it isn't
secure by default and allows special YAML syntax.

While it shouldn't be a problem here, I'm trying to get rid of all
yaml.load() calls so we can add a lint to ban the practice.
Comment on attachment 8986584 [details]
Bug 1469999 - Use yaml.safe_load() for loading linter config file; r?ahal

Andrew Halberstadt [:ahal] has approved the revision.

https://phabricator.services.mozilla.com/D1738
Attachment #8986584 - Flags: review+
Comment on attachment 8986586 [details]
Bug 1469999 - Use yaml.safe_load() in telemetry test; r?chutten

Chris H-C :chutten has approved the revision.

https://phabricator.services.mozilla.com/D1740
Attachment #8986586 - Flags: review+
Comment on attachment 8986585 [details]
Bug 1469999 - Use yaml.safe_load() for loading shaders manifest; r?chmanchester

Chris Manchester (:chmanchester) has approved the revision.

https://phabricator.services.mozilla.com/D1739
Attachment #8986585 - Flags: review+
Comment on attachment 8986583 [details]
Bug 1469999 - Use yaml.safe_load() for loading clang-tidy config file; r?chmanchester

Chris Manchester (:chmanchester) has approved the revision.

https://phabricator.services.mozilla.com/D1737
Attachment #8986583 - Flags: review+
Comment on attachment 8986582 [details]
Bug 1469999 - Use yaml.safe_load() in taskgraph; r?dustin

Phabricator didn't add the flag for some reason. I filed bug 1470954 for that.
Attachment #8986582 - Flags: review?(dustin)
Comment on attachment 8986582 [details]
Bug 1469999 - Use yaml.safe_load() in taskgraph; r?dustin

Dustin J. Mitchell [:dustin] pronoun: he has approved the revision.

https://phabricator.services.mozilla.com/D1736
Attachment #8986582 - Flags: review+
Comment on attachment 8986582 [details]
Bug 1469999 - Use yaml.safe_load() in taskgraph; r?dustin

so good I r+'d it twice, I guess
Attachment #8986582 - Flags: review?(dustin) → review+
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2bfffe75c278
Use yaml.safe_load() in taskgraph; r=dustin
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ccf6afcc59fb
Use yaml.safe_load() for loading clang-tidy config file; r=chmanchester
https://hg.mozilla.org/integration/autoland/rev/2452079eb42f
Use yaml.safe_load() for loading linter config file; r=ahal
https://hg.mozilla.org/integration/autoland/rev/a94c62b1e41a
Use yaml.safe_load() for loading shaders manifest; r=chmanchester
https://hg.mozilla.org/integration/autoland/rev/803d0242675c
Use yaml.safe_load() in telemetry test; r=chutten
You need to log in before you can comment on or make changes to this bug.