cloud-init

security scan reported insecure yaml load method usage in latest cloud-init code

Bug #1849640 reported by Kumar Biplab
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Undecided
Unassigned

Bug Description

security scan reported insecure yaml load method usage in latest cloud-init code

PyYAML's yaml.load() method is unsafe and can execute code in yaml files.we can use safe_load() for safer option.

Here is the lines where it is used in current code.

1.cloudinit\cmd\devel\net_convert.py at line 81
yaml.load(net_data)

2. \cloudinit\safeyaml.py at line 28
yaml.load(blob,Loader=_CustomSafeLoader)

3. \cloudinit\util.py at line 950
converted = safeyaml.load(blob)

Related branches

~smoser/cloud-init:fix/1849640-adjust-yaml-usage
Ryan Harper: Approve
Server Team CI bot: Approve (continuous-integration)
Diff: 395 lines (+53/-46)
13 files modified
cloudinit/cmd/devel/net_convert.py (+5/-8)
cloudinit/cmd/tests/test_main.py (+4/-3)
cloudinit/config/cc_debug.py (+2/-1)
cloudinit/config/cc_salt_minion.py (+3/-3)
cloudinit/config/cc_snappy.py (+2/-1)
cloudinit/handlers/cloud_config.py (+2/-1)
cloudinit/net/netplan.py (+8/-7)
cloudinit/net/network_state.py (+3/-2)
cloudinit/safeyaml.py (+15/-0)
cloudinit/util.py (+1/-15)
tests/unittests/test_data.py (+2/-1)
tests/unittests/test_runs/test_merge_run.py (+2/-1)
tests/unittests/test_runs/test_simple_run.py (+4/-3)
Revision history for this message
Scott Moser (smoser) wrote :

I think this can be made public.
The fix is in the tree for the net_convert use of load.

That was the only code that was using 'load' without Loader=_CustomSafeLoader.
The result of which would be limited to executing code as the user who executed
'cloud-init devel net-convert'.

Revision history for this message
Ryan Harper (raharper) wrote :

Thanks for taking the time to make cloud-init more secure. At this time we do not believe this is a security issue. Cloud-init does have a safe yaml parser and your scan did fine one call-site which was not using the existing safe yaml parser, though not in primary execution path of cloud-init. This has already been patched and merged upstream.

--
This bug mentions use of yaml.load() and suggests using safeload() instead and worries about executing code during the yaml.load() operation.

1. cloudinit/cmd/devel/net_convert.py: yaml.load(net_data) Line 81
The method is called by unprivileged users on a system; any code execution would run with permissions of that user. This method is not called or used during system boot.
This call to yaml.load should be replaced with a call to cloudinit.util.load_yaml() which uses cloudinit.safeyaml loader which uses yaml.SafeLoader.

2. cloudinit/safeyaml.py:yaml.load(blob,Loader=_CustomSafeLoader)
This use of yaml.load specifies a Loader that is not the default Loader. _CustomSafeLoader(), defined in the same file, is a subclass of yaml.SafeLoader which is the loader used by yaml.safeload()

3. cloudinit/util.py at line 950, converted = safeyaml.load(blob)
This code uses cloudinit’s safeyaml.load() method which uses yaml.SafeLoader

Changed in cloud-init:
status: New → Fix Committed
information type: Private Security → Public
Revision history for this message
Chad Smith (chad.smith) wrote : Fixed in cloud-init version 19.2-70.

This bug is believed to be fixed in cloud-init in version 19.2-70. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :

Tracked in Github Issues as https://github.com/canonical/cloud-init/issues/3481

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.