YAML Unsafe Loader

Easy+50 XPA08:2021 Software and Data Integrity FailuresCWE-502

DeserializationYAMLPython

Scenario

Your service accepts YAML configuration strings from user-controlled input.

Using `yaml.load` (the unsafe loader) allows YAML tags like `!!python/object/apply:os.system` to execute arbitrary shell commands during parsing — before any business logic runs.

PyYAML's unsafe loader has been a well-known RCE vector for over a decade. Any application that passes user input to `yaml.load` without `Loader=yaml.SafeLoader` is vulnerable.

Your Tasks

Detect dangerous YAML tags: if `yaml_string` contains the substring `!!python/`, raise `ValueError('Unsafe YAML content')`.
Return `{"parsed": True}` for safe inputs (no actual YAML parsing required).
An empty string must not raise.

Examples

Example 1 — Exploit — os.system gadget via YAML tag

parseConfig("!!python/object/apply:os.system ['id']")
# raises: ValueError('Unsafe YAML content')

Example 2 — Safe — plain key-value YAML

parseConfig('host: localhost\nport: 5432')
# returns: {'parsed': True}

Constraints

›Raise exactly `ValueError('Unsafe YAML content')`.
›The check must be a substring search — the forbidden tag can appear anywhere in the string.
›Empty and plain YAML-like strings without `!!python/` must return `{"parsed": True}`.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/502.html https://pyyaml.org/wiki/PyYAMLDocumentation#loading-yaml

solution.py

Ln 1, Col 1│UTF-8│Python

Sandbox ready

0/0/0not run