{"title":"Unsafe YAML Deserialization via yaml.load()","language":"Python","severity":"Critical","cwe":"CWE-502","source_lines":[9],"flow_lines":[9,10],"sink_lines":[10],"vulnerable_code":"import yaml\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n@app.route('/iot/device/configure', methods=['POST'])\ndef update_device_config():\n    device_id = request.headers.get('X-Device-ID')\n    config_payload = request.data.decode('utf-8')\n    device_settings = yaml.load(config_payload, Loader=yaml.Loader)\n    device_settings['device_id'] = device_id\n    device_settings['last_updated'] = __import__('time').time()\n    apply_iot_configuration(device_settings)\n    return jsonify({'status': 'configured', 'device': device_id})\n\ndef apply_iot_configuration(settings):\n    pass","explanation":"The application uses yaml.load() with yaml.Loader on untrusted user input from request.data without validation. This allows an attacker to execute arbitrary Python code by sending a malicious YAML payload containing Python object constructors, leading to Remote Code Execution (RCE) on the server.","remediation":"The fix replaces yaml.load() with yaml.safe_load(), which only deserializes standard YAML types (strings, numbers, lists, dicts) and refuses to instantiate arbitrary Python objects. Additionally, a type check ensures the parsed result is a dictionary before proceeding, preventing unexpected input types from causing downstream issues.","secure_code":"import yaml\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n@app.route('/iot/device/configure', methods=['POST'])\ndef update_device_config():\n    device_id = request.headers.get('X-Device-ID')\n    config_payload = request.data.decode('utf-8')\n    device_settings = yaml.safe_load(config_payload)\n    if not isinstance(device_settings, dict):\n        return jsonify({'status': 'error', 'message': 'Invalid configuration format'}), 400\n    device_settings['device_id'] = device_id\n    device_settings['last_updated'] = __import__('time').time()\n    apply_iot_configuration(device_settings)\n    return jsonify({'status': 'configured', 'device': device_id})\n\ndef apply_iot_configuration(settings):\n    pass"}