Summary
The YAML test runner in policyengine-core uses the same unsafe loader path when collecting YAML tests.
Severity
Medium
Impact
If TaxBenefitSystem.test() or the YAML runner is pointed at untrusted YAML, object construction can happen during test collection.
Affected code
policyengine_core/tools/test_runner.py:30-44policyengine_core/tools/test_runner.py:119-122
Details
The runner imports CLoader as Loader and passes it to yaml.load(...) when collecting YAML tests.
Expected behavior
Untrusted test YAML should be parsed with a safe loader.
Suggested remediation
- Switch the runner to
CSafeLoader/SafeLoader
- Add a regression test for unsafe object tags
Summary
The YAML test runner in
policyengine-coreuses the same unsafe loader path when collecting YAML tests.Severity
Medium
Impact
If
TaxBenefitSystem.test()or the YAML runner is pointed at untrusted YAML, object construction can happen during test collection.Affected code
policyengine_core/tools/test_runner.py:30-44policyengine_core/tools/test_runner.py:119-122Details
The runner imports
CLoaderasLoaderand passes it toyaml.load(...)when collecting YAML tests.Expected behavior
Untrusted test YAML should be parsed with a safe loader.
Suggested remediation
CSafeLoader/SafeLoader