[flake8-bandit/S506] Dont report violation when using BaseLoader

[mcmitch]

From https://pyyaml.org/wiki/PyYAMLDocumentation

• Loader supports all predefined tags and may construct an arbitrary Python object. Therefore it is not safe to use Loader to load a document received from an untrusted source. By default, the functions scan, parse, compose, construct, and others use Loader.
• SafeLoader(stream) supports only standard YAML tags and thus it does not construct class instances and probably safe to use with documents received from an untrusted source. The functions safe_load and safe_load_all use SafeLoader to parse a stream.
• BaseLoader(stream) does not resolve or support any tags and construct only basic Python objects: lists, dictionaries and Unicode strings.

For our project we are using the Baseloader, and do not want to use safeLoader, as this would not leave integer values as strings. The baseloader is not the unsafe FullLoader, and should not be flagged as an exception to S506.

Code to reproduce:

with open('testfile.yaml') as fhandle:
  loader_yaml = yaml.load(fhandle, Loader=yaml.Baseloader)

Ruff setting: [select = "S506"]
Ruff version: 0.6.8

[AlexWaygood]

From my reading of the pyyaml docs, your rationale makes sense to me. I'm not a security expert, however, and it looks like we match bandit's original behaviour here (and it looks like they've had this behaviour for a long time).

Digging into the source code for pyyaml a bit:

• BaseLoader is defined here, and SafeLoader here. They're the same, except that BaseLoader has BaseConstructor and BaseResolver in its bases list, whereas SafeLoader has SafeConstructor and Resolver in its bases list.
• BaseConstructor is here, BaseResolver is here, SafeConstructor is here, Resolver is here. SafeConstructor is a subclass of BaseConstructor; Resolver is a subclass of BaseResolver. SafeConstructor overrides many methods from BaseConstructor, but Resolver seems to be something of a pointless subclass that doesn't override anything from BaseResolver.
• From what I can tell, the methods overridden in SafeConstructor seem mainly to extend the capabilities provided in the BaseConstructor superclass, rather than overriding anything to make it safer -- i.e., exactly as you and the pyyaml docs state.

@ericwb, sorry for the ping -- I don't suppose you'd be able to shed light on this behaviour from bandit, would you? Is there a reason why SafeLoader would be safer than BaseLoader?

[asears]

There's a SO post here with some useful info, though not much clarity in Bandit repo issues on the topic.

https://stackoverflow.com/questions/73958193/are-there-any-cases-to-use-pyyaml-fullloader-or-baseloader-instead-of-safeloader

[cjwatson]

I ran into this too in code that works around some dubious YAML output (https://bugs.debian.org/834059#22, https://gitlab.com/irill/dose3/-/issues/18), and in looking through the code I agree with @AlexWaygood's analysis above: it seems clear to me that SafeLoader just adds additional handling for more YAML constructs rather than adding any safety checks. That is, the "Safe" part of the name is relative to Loader, not relative to BaseLoader. I suspect that bandit just didn't handle this because it's relatively rare to need to use BaseLoader.

Would you accept a community contribution for this? I have what I think is a working patch ready (just the obvious addition of BaseLoader alongside SafeLoader, and updating tests), but on looking through CONTRIBUTING.md I see that I should check in on whether there's sufficient consensus first.

[ntBre]

I think it would be fine to try this change in preview.

[AlexWaygood]

Don't know if @woodruffw has any opinions here? Probably our best-qualified team member to talk about security issues 😄

[woodruffw]

I can look at it today -- I'm not immediately familiar with PyYAML's different loader APIs, but one "classic" security bug that pops up when dealing with tagged object deserialization is malicious subclass specialization, e.g. allowing !!python/evilstr as a subclass of str because str is considered safe.

(I don't know yet if that actually applies in this case.)

[woodruffw]

Okay, I looked at this a bit and I think BaseLoader is fine to allow -- I agree with the top-level comment that it doesn't honor any tags when initializing (Python) objects, so there's no arbitrary object deserialization risk.

[AlexWaygood]

Thank you! Let's go ahead with this then

[cjwatson]

Happy to take care of it, but from the conversation above, I'm not sure whether I should put this change in preview or just go ahead with it directly. Guidance appreciated!

[ntBre]

I'd lean toward putting it in preview just to be safe, but either way is probably fine. Even though this should lead to fewer S506 diagnostics, it can make existing noqa comments now unused, if this pattern is common. We can always see what the ecosystem report says on the PR!