Maktaba za Yaml za python pia zinaweza kufumbua vitu vya python na sio tu data ghafi:
print(yaml.dump(str("lol")))
lol
...
print(yaml.dump(tuple("lol")))
!!python/tuple
- l
- o
- l
print(yaml.dump(range(1,10)))
!!python/object/apply:builtins.range
- 1
- 10
- 1
Angalia jinsi tuple sio aina ya data ya msingi na kwa hivyo ilikuwa kiserialiwa. Na hali hiyo hiyo ilitokea na range (iliyochukuliwa kutoka kwa builtins).
safe_load() au safe_load_all() hutumia SafeLoader na havisaidii udeserialishaji wa vitu vya darasa. Mfano wa udeserialishaji wa vitu vya darasa:
import yamlfrom yaml import UnsafeLoader, FullLoader, Loaderdata =b'!!python/object/apply:builtins.range [1, 10, 1]'print(yaml.load(data, Loader=UnsafeLoader))#range(1, 10)print(yaml.load(data, Loader=Loader))#range(1, 10)print(yaml.load_all(data))#<generator object load_all at 0x7fc4c6d8f040>print(yaml.load_all(data, Loader=Loader))#<generator object load_all at 0x7fc4c6d8f040>print(yaml.load_all(data, Loader=UnsafeLoader))#<generator object load_all at 0x7fc4c6d8f040>print(yaml.load_all(data, Loader=FullLoader))#<generator object load_all at 0x7fc4c6d8f040>print(yaml.unsafe_load(data))#range(1, 10)print(yaml.full_load_all(data))#<generator object load_all at 0x7fc4c6d8f040>print(yaml.unsafe_load_all(data))#<generator object load_all at 0x7fc4c6d8f040>#The other ways to load data will through an error as they won't even attempt to#deserialize the python object
Msimbo uliopita ulitumia unsafe_load kusoma darasa la python lililosanidishwa. Hii ni kwa sababu katika toleo >= 5.1, hauruhusu kusahihisha darasa lolote la python lililosanidishwa au sifa ya darasa, bila Loader kufafanuliwa katika load() au Loader=SafeLoader.
Tafadhali kumbuka kwamba katika toleo jipya huwezi tena kuita .load()bila Loader na FullLoader haiko tena katika hatari ya shambulio hili.
RCE
Mizigo ya desturi inaweza kuundwa kwa kutumia moduli za Python YAML kama vile PyYAML au ruamel.yaml. Mizigo hii inaweza kutumia mapungufu katika mifumo ambayo hupakia data isiyosadikika bila kusafisha ipasavyo.