ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-20 11:26:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #561 from gdraperi/patch-2

Browse Source 
Update YAML.md
This commit is contained in:
Swissky 2022-10-05 14:55:34 +02:00 committed by GitHub
commit 2c10b28976
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Insecure Deserialization/YAML.md
View File

@ -43,6 +43,16 @@ state: !!python/tuple
update: !!python/name:exec update: !!python/name:exec
``` ```
Since PyYaml version 6.0, the default loader for ```load``` has been switched to SafeLoader mitigating the risks against Remote Code Execution.
[PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)
The vulnerable sinks are now ```yaml.unsafe_load``` and ```yaml.load(input, Loader=yaml.UnsafeLoader)```
```
with open('exploit_unsafeloader.yml') as file:
data = yaml.load(file,Loader=yaml.UnsafeLoader)
```
## Ruamel.yaml ## Ruamel.yaml
## Ruby ## Ruby