PyYAML is the standard YAML library. yaml.load() with the default Loader (or UnsafeLoader / Loader) instantiates arbitrary Python classes — RCE sink on untrusted input. Use yaml.safe_load() or Loader=yaml.SafeLoader instead.
.safe_load().safe_load_all().load().load_all().full_load().load()Sinkyaml.load(stream, Loader) -> Any
Deserializes a YAML document. RCE sink under Loader / UnsafeLoader.
0.load_all()Sinkyaml.load_all(stream, Loader) -> Iterator[Any]
Deserializes multiple YAML documents. Same RCE risk as load().
0.full_load()Sinkyaml.full_load(stream) -> Any
Uses FullLoader — safer than Loader but still resolves some Python tags. Prefer safe_load.
0| FQN | Field | |
|---|---|---|
| yaml | fqns[0] |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
from codepathfinder.go_rule import PyYaml