{"title":"Unsafe YAML Deserialization via yaml.load with Full Loader","language":"Python","severity":"Critical","cwe":"CWE-502","source_lines":[5],"flow_lines":[5,6],"sink_lines":[6],"vulnerable_code":"import yaml\nfrom flask import request, jsonify\n\ndef apply_iot_device_config():\n    device_payload = request.data.decode('utf-8')\n    parsed_config = yaml.load(device_payload, Loader=yaml.FullLoader)\n    device_id = parsed_config.get('device_id')\n    firmware_ver = parsed_config.get('firmware_version')\n    telemetry_interval = parsed_config.get('telemetry_interval', 60)\n    update_device_registry(device_id, firmware_ver, telemetry_interval)\n    return jsonify({'status': 'configuration applied', 'device': device_id})","explanation":"The code uses yaml.load() with FullLoader on untrusted user input from request.data without validation. FullLoader can instantiate arbitrary Python objects, allowing attackers to execute arbitrary code through specially crafted YAML payloads containing malicious object constructors.","remediation":"The fix replaces yaml.load() with yaml.safe_load(), which only deserializes standard YAML tags (strings, numbers, lists, dicts) and refuses to instantiate arbitrary Python objects. Additionally, a type check ensures the parsed result is a dictionary before accessing keys, preventing unexpected behavior from non-mapping YAML inputs.","secure_code":"import yaml\nfrom flask import request, jsonify\n\ndef apply_iot_device_config():\n    device_payload = request.data.decode('utf-8')\n    parsed_config = yaml.safe_load(device_payload)\n    if not isinstance(parsed_config, dict):\n        return jsonify({'status': 'error', 'message': 'Invalid configuration format'}), 400\n    device_id = parsed_config.get('device_id')\n    firmware_ver = parsed_config.get('firmware_version')\n    telemetry_interval = parsed_config.get('telemetry_interval', 60)\n    update_device_registry(device_id, firmware_ver, telemetry_interval)\n    return jsonify({'status': 'configuration applied', 'device': device_id})"}