gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-10 14:50:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

Use SafeLoader for YAML (#2776)

Browse Source
This commit is contained in:
0x1622
2025-11-25 19:31:23 +05:30
committed by GitHub
parent ffce77b13d
commit 1568ce4832
2 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -11,6 +11,7 @@
- -
### Bug Fixes ### Bug Fixes
- Fixed insecure deserialization vulnerability in YAML loading @0x1622 (#2770)
### capa Explorer Web ### capa Explorer Web

10
capa/rules/__init__.py
View File

@@ -1102,15 +1102,15 @@ class Rule:
@lru_cache() @lru_cache()
def _get_yaml_loader(): def _get_yaml_loader():
try: try:
# prefer to use CLoader to be fast, see #306 # prefer to use CLoader to be fast, see #306 / CSafeLoader is the same as CLoader but with safe loading
# on Linux, make sure you install libyaml-dev or similar # on Linux, make sure you install libyaml-dev or similar
# on Windows, get WHLs from pyyaml.org/pypi # on Windows, get WHLs from pyyaml.org/pypi
logger.debug("using libyaml CLoader.") logger.debug("using libyaml CSafeLoader.")
return yaml.CLoader return yaml.CSafeLoader
except Exception: except Exception:
logger.debug("unable to import libyaml CLoader, falling back to Python yaml parser.") logger.debug("unable to import libyaml CSafeLoader, falling back to Python yaml parser.")
logger.debug("this will be slower to load rules.") logger.debug("this will be slower to load rules.")
return yaml.Loader return yaml.SafeLoader
@staticmethod @staticmethod
def _get_ruamel_yaml_parser(): def _get_ruamel_yaml_parser():