PyYaml SafeLoader -- how to secure?

2009-07-19
2013-06-04
  • Shaun Cutts
    Shaun Cutts
    2009-07-19

    Hello,

    I was writing a little routine to guess the type of a string -- buildng a PyYaml.SafeLoader on a string, then calling get_single_node to get a node, and looking at the type.

    But I noticed that SafeLoader will build a node even if the content is an arbitrary object. Is this the desired behavior? Is there a good way to tell if a given tag is "safe" -- except by checking for "python" in the string, which seems like a hack?

    Thanks,

    -- Shaun Cutts

    >>>