)]}'
{
  "commit": "5080ba513377b6355a0502104846ee804656f1e0",
  "tree": "826f493233cb941523b4f59c923f07300a9d9553",
  "parents": [
    "2f463cf5b0e98a52bc20e348d1e69761bf263b86"
  ],
  "author": {
    "name": "Riccardo Schirone",
    "email": "ret2libc@users.noreply.github.com",
    "time": "Tue Mar 17 19:09:55 2020 +0100"
  },
  "committer": {
    "name": "GitHub",
    "email": "noreply@github.com",
    "time": "Tue Mar 17 19:09:55 2020 +0100"
  },
  "message": "Prevents arbitrary code execution during python/object/new constructor (#386)\n\n* Prevents arbitrary code execution during python/object/new constructor\r\n\r\nIn FullLoader python/object/new constructor, implemented by\r\nconstruct_python_object_apply, has support for setting the state of a\r\ndeserialized instance through the set_python_instance_state method.\r\nAfter setting the state, some operations are performed on the instance\r\nto complete its initialization, however it is possible for an attacker\r\nto set the instance\u0027 state in such a way that arbitrary code is executed\r\nby the FullLoader.\r\n\r\nThis patch tries to block such attacks in FullLoader by preventing\r\nset_python_instance_state from setting arbitrary properties. It\r\nimplements a blacklist that includes `extend` method (called by\r\nconstruct_python_object_apply) and all special methods (e.g. __set__,\r\n__setitem__, etc.).\r\n\r\nUsers who need special attributes being set in the state of a\r\ndeserialized object can still do it through the UnsafeLoader, which\r\nhowever should not be used on untrusted input. Additionally, they can\r\nsubclass FullLoader and redefine `get_state_keys_blacklist()` to\r\nextend/replace the list of blacklisted keys, passing the subclassed\r\nloader to yaml.load.\r\n\r\n* Make sure python/object/new constructor does not set some properties\r\n\r\n* Add test to show how to subclass FullLoader with new blacklist",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "8ce39722d242c4f58bf7dfaf845a3d2793ccd64c",
      "old_mode": 33188,
      "old_path": "lib/yaml/constructor.py",
      "new_id": "794681cb7fe5ff828e5d95dd594e5eed8bfe10ca",
      "new_mode": 33188,
      "new_path": "lib/yaml/constructor.py"
    },
    {
      "type": "modify",
      "old_id": "cd9167eafa05a85631ffe10f4202cb19abbdd37f",
      "old_mode": 33188,
      "old_path": "lib3/yaml/constructor.py",
      "new_id": "1948b125c205261864156b18178c1af3f535ad76",
      "new_mode": 33188,
      "new_path": "lib3/yaml/constructor.py"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "555a2b3a385197b91b2eb038a23dc3aafce3977c",
      "new_mode": 33188,
      "new_path": "tests/data/myfullloader.subclass_blacklist"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "8d224f1577a3e524dc31293b3a61db0637233c1a",
      "new_mode": 33188,
      "new_path": "tests/data/overwrite-state-new-constructor.loader-error"
    },
    {
      "type": "modify",
      "old_id": "a22fd189149f00eb793b0f6d7ce81cc84f462a21",
      "old_mode": 33188,
      "old_path": "tests/lib/test_constructor.py",
      "new_id": "5a8cce21927dfeab381e45a3017b11470cab0c87",
      "new_mode": 33188,
      "new_path": "tests/lib/test_constructor.py"
    },
    {
      "type": "modify",
      "old_id": "877982db89fc16085ec2dcfbfa6149c71e61ecad",
      "old_mode": 33188,
      "old_path": "tests/lib3/test_constructor.py",
      "new_id": "f9a507701a443884df30d3130fbcaeaeffba4e05",
      "new_mode": 33188,
      "new_path": "tests/lib3/test_constructor.py"
    }
  ]
}