SC007: SafeYAMLLoading
Overview
| Property | Value |
|---|---|
| ID | SC007 |
| Name | SafeYAMLLoading |
| Group | security |
| Severity | ERROR |
Description
Scans Python source files for unsafe yaml.load() calls that don’t use a safe Loader, which can lead to arbitrary code execution when loading untrusted YAML data.
Using yaml.load() without a safe Loader is a critical security vulnerability that can lead to:
- Arbitrary code execution on the system
- Remote code execution if processing user-supplied YAML
- Complete system compromise
- Data exfiltration
What it checks
The check scans all .py files (excluding test files, .venv/, and __pycache__/) for:
- yaml.load() without Loader argument: Direct calls to
yaml.load()with no Loader specified - yaml.load() with yaml.FullLoader: Using
FullLoaderwhich can still execute arbitrary Python functions - yaml.load() with yaml.UnsafeLoader: Explicitly unsafe loader that allows arbitrary code execution
Result states
- PASSED: No unsafe YAML loading found
- FAILED: One or more unsafe
yaml.load()calls detected
How to fix
Use yaml.safe_load()
import yaml
# Bad: yaml.load() without Loader
data = yaml.load(file)
# Bad: yaml.load() with FullLoader (still vulnerable)
data = yaml.load(file, Loader=yaml.FullLoader)
# Good: use yaml.safe_load()
data = yaml.safe_load(file)Use yaml.SafeLoader explicitly
import yaml
# Good: explicit SafeLoader
data = yaml.load(file, Loader=yaml.SafeLoader)Use yaml.safe_load_all() for multiple documents
import yaml
# Good: safe loading of multiple YAML documents
for doc in yaml.safe_load_all(file):
process(doc)Why ERROR severity?
This check is an ERROR because:
- Unsafe YAML loading can execute arbitrary Python code
- Attackers can craft malicious YAML to compromise systems
- The fix is simple: use
yaml.safe_load()instead - There is almost never a legitimate need for
yaml.load()with unsafe loaders
Configuration
Skip this check
[tool.pycmdcheck]
skip = ["SC007"]CLI
pycmdcheck --skip SC007