Use SafeLoader in yaml.load() Calls

[pixeebot]

This codemod hardens all yaml.load() calls against attacks that could result from deserializing untrusted data.

The fix uses a safety check that already exists in the yaml module, replacing unsafe loader class with SafeLoader.
The changes from this codemod look like this:

  import yaml
  data = b'!!python/object/apply:subprocess.Popen \\n- ls'
- deserialized_data = yaml.load(data, yaml.Loader)
+ deserialized_data = yaml.load(data, Loader=yaml.SafeLoader)

The codemod will also catch if you pass in the loader argument as a kwarg and if you use any loader other than SafeLoader,
including FullLoader and UnsafeLoader.

More reading

• https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

Powered by: pixeebot (codemod ID: pixee:python/harden-pyyaml)

[pixeebot]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.