ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update YAML.md

Browse Source 
Updating the actual risks for Python
This commit is contained in:
gdraperi 2022-10-05 13:47:24 +02:00 committed by GitHub
parent a766679356
commit 666a90ffee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Insecure Deserialization/YAML.md
View File

@ -43,6 +43,16 @@ state: !!python/tuple
update: !!python/name:exec
```
Since PyYaml version 6.0, the default loader for ```load``` has been switched to SafeLoader mitigating the risks against Remote Code Execution.
[PR fixing the vulnerabily](https://github.com/yaml/pyyaml/issues/420)
The vulnerable sinks are now ```yaml.unsafe_load``` and ```yaml.load(input, Loader=yaml.UnsafeLoader)```
```
with open('exploit_unsafeloader.yml') as file:
data = yaml.load(file,Loader=yaml.UnsafeLoader)
```
## Ruamel.yaml
## Ruby