Security Warning: Avoid yaml.load() Without a Loader
YAML allows custom tags that can instantiate Python objects — a powerful feature, but also a serious security risk. Using yaml.load() without explicitly specifying a loader (e.g., SafeLoader) can lead to arbitrary code execution if the input is malicious.
For example:
!!python/object/apply:os.system ["rm -rf /"]This can be executed if yaml.load() is used carelessly. To prevent this:
- Use
yaml.safe_load()in PyYAML. - Use
YAML(typ='safe')inruamel.yaml.
These options restrict YAML parsing to simple data types (strings, lists, dicts) and avoid evaluating potentially dangerous tags.