Insufficient input validation in Yamale allows an attacker to perform Python code injection when processing a malicious schema file
Yamale (,3.0.8), fixed in 3.0.8
A code injection vulnerability occurs when parsing a malicious schema file, due to the
parser.parse method which invokes an insecure call to
eval with user-controlled input.
An attacker that can control the contents of the schema file that’s supplied to Yamale (
-s/--schema command line parameter), can provide a seemingly valid schema file that will cause arbitrary Python code to run.
This issue may be exploited remotely if some piece of the vendor code allows an attacker to control the schema file, for example:
subprocess.run(["yamale", "-s", remote_userinput, "/path/to/file_to_validate"])
This scenario is much more likely to be exploited as part of a parameter injection attack
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue