security(agent): Replace unsafe pyyaml loader with SafeLoader (Si…

…gnificant-Gravitas#7035) Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
bobohaha · Mar 22, 2024 · a1ffe15 · a1ffe15
1 parent 30bc761
commit a1ffe15
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 7 deletions.
diff --git a/autogpts/autogpt/autogpt/commands/file_operations_utils.py b/autogpts/autogpt/autogpt/commands/file_operations_utils.py
@@ -68,7 +68,7 @@ def read(self, file: BinaryIO) -> str:
 # Reading as dictionary and returning string format
 class YAMLParser(ParserStrategy):
     def read(self, file: BinaryIO) -> str:
-        data = yaml.load(file, Loader=yaml.FullLoader)
+        data = yaml.load(file, Loader=yaml.SafeLoader)
         text = str(data)
         return text
 

diff --git a/autogpts/autogpt/autogpt/config/ai_directives.py b/autogpts/autogpt/autogpt/config/ai_directives.py
@@ -32,7 +32,7 @@ def from_file(prompt_settings_file: Path) -> "AIDirectives":
             raise RuntimeError(f"File validation failed: {message}")
 
         with open(prompt_settings_file, encoding="utf-8") as file:
-            config_params = yaml.load(file, Loader=yaml.FullLoader)
+            config_params = yaml.load(file, Loader=yaml.SafeLoader)
 
         return AIDirectives(
             constraints=config_params.get("constraints", []),

diff --git a/autogpts/autogpt/autogpt/config/ai_profile.py b/autogpts/autogpt/autogpt/config/ai_profile.py
@@ -35,7 +35,7 @@ def load(ai_settings_file: str | Path) -> "AIProfile":
 
         try:
             with open(ai_settings_file, encoding="utf-8") as file:
-                config_params = yaml.load(file, Loader=yaml.FullLoader) or {}
+                config_params = yaml.load(file, Loader=yaml.SafeLoader) or {}
         except FileNotFoundError:
             config_params = {}
 

diff --git a/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py b/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py
@@ -257,7 +257,7 @@ def get_model_access_kwargs(self, model: str) -> dict[str, str]:
 
     def load_azure_config(self, config_file: Path) -> None:
         with open(config_file) as file:
-            config_params = yaml.load(file, Loader=yaml.FullLoader) or {}
+            config_params = yaml.load(file, Loader=yaml.SafeLoader) or {}
 
         try:
             assert config_params.get(

diff --git a/autogpts/autogpt/autogpt/plugins/plugins_config.py b/autogpts/autogpt/autogpt/plugins/plugins_config.py
@@ -72,7 +72,7 @@ def deserialize_config_file(
             )
 
         with open(plugins_config_file, "r") as f:
-            plugins_config = yaml.load(f, Loader=yaml.FullLoader)
+            plugins_config = yaml.load(f, Loader=yaml.SafeLoader)
 
         plugins = {}
         for name, plugin in plugins_config.items():

diff --git a/autogpts/autogpt/autogpt/utils.py b/autogpts/autogpt/autogpt/utils.py
@@ -7,7 +7,7 @@
 def validate_yaml_file(file: str | Path):
     try:
         with open(file, encoding="utf-8") as fp:
-            yaml.load(fp.read(), Loader=yaml.FullLoader)
+            yaml.load(fp.read(), Loader=yaml.SafeLoader)
     except FileNotFoundError:
         return (False, f"The file {Fore.CYAN}`{file}`{Fore.RESET} wasn't found")
     except yaml.YAMLError as e:

diff --git a/autogpts/autogpt/tests/unit/test_plugins.py b/autogpts/autogpt/tests/unit/test_plugins.py
@@ -88,7 +88,7 @@ def test_create_base_config(config: Config):
 
     # Check the saved config file
     with open(config.plugins_config_file, "r") as saved_config_file:
-        saved_config = yaml.load(saved_config_file, Loader=yaml.FullLoader)
+        saved_config = yaml.load(saved_config_file, Loader=yaml.SafeLoader)
 
     assert saved_config == {
         "a": {"enabled": True, "config": {}},