2018-0305 Solution - Being A Student Is Easy

Challenge type: Code review

Affected: MLAlchemy

Fixed in: version 0.2.2

Original code: found here

Description

This week's challenge was another code review challenge that shows a Python-based YAML parser from the MLAlchemy library. Parsing can be tricky business, if not done correctly it can lead to a slew of arbitrary code execution issues. That's exactly what happened in this case. 

Solution

The parse_yaml_query function is the culprit in this case, it uses the yaml.load method call instead of its more secure safe_load alternative. 

Take a look at the code below to see how it looks.

If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.

Leave a comment