security(agent): Replace unsafe pyyaml loader with SafeLoader (#7035)

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2025-12-17 14:04:27 +01:00 · 2024-03-22 10:45:07 -03:00
parent 30bc761391
commit a1ffe15142
7 changed files with 7 additions and 7 deletions
--- a/autogpts/autogpt/autogpt/commands/file_operations_utils.py
+++ b/autogpts/autogpt/autogpt/commands/file_operations_utils.py
@@ -68,7 +68,7 @@ class XMLParser(ParserStrategy):
 # Reading as dictionary and returning string format
 class YAMLParser(ParserStrategy):
    def read(self, file: BinaryIO) -> str:
-        data = yaml.load(file, Loader=yaml.FullLoader)
+        data = yaml.load(file, Loader=yaml.SafeLoader)
        text = str(data)
        return text

--- a/autogpts/autogpt/autogpt/config/ai_directives.py
+++ b/autogpts/autogpt/autogpt/config/ai_directives.py
@@ -32,7 +32,7 @@ class AIDirectives(BaseModel):
            raise RuntimeError(f"File validation failed: {message}")

        with open(prompt_settings_file, encoding="utf-8") as file:
-            config_params = yaml.load(file, Loader=yaml.FullLoader)
+            config_params = yaml.load(file, Loader=yaml.SafeLoader)

        return AIDirectives(
            constraints=config_params.get("constraints", []),
--- a/autogpts/autogpt/autogpt/config/ai_profile.py
+++ b/autogpts/autogpt/autogpt/config/ai_profile.py
@@ -35,7 +35,7 @@ class AIProfile(BaseModel):

        try:
            with open(ai_settings_file, encoding="utf-8") as file:
-                config_params = yaml.load(file, Loader=yaml.FullLoader) or {}
+                config_params = yaml.load(file, Loader=yaml.SafeLoader) or {}
        except FileNotFoundError:
            config_params = {}

--- a/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py
+++ b/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py
@@ -257,7 +257,7 @@ class OpenAICredentials(ModelProviderCredentials):

    def load_azure_config(self, config_file: Path) -> None:
        with open(config_file) as file:
-            config_params = yaml.load(file, Loader=yaml.FullLoader) or {}
+            config_params = yaml.load(file, Loader=yaml.SafeLoader) or {}

        try:
            assert config_params.get(
--- a/autogpts/autogpt/autogpt/plugins/plugins_config.py
+++ b/autogpts/autogpt/autogpt/plugins/plugins_config.py
@@ -72,7 +72,7 @@ class PluginsConfig(BaseModel):
            )

        with open(plugins_config_file, "r") as f:
-            plugins_config = yaml.load(f, Loader=yaml.FullLoader)
+            plugins_config = yaml.load(f, Loader=yaml.SafeLoader)

        plugins = {}
        for name, plugin in plugins_config.items():
--- a/autogpts/autogpt/autogpt/utils.py
+++ b/autogpts/autogpt/autogpt/utils.py
@@ -7,7 +7,7 @@ from colorama import Fore
 def validate_yaml_file(file: str | Path):
    try:
        with open(file, encoding="utf-8") as fp:
-            yaml.load(fp.read(), Loader=yaml.FullLoader)
+            yaml.load(fp.read(), Loader=yaml.SafeLoader)
    except FileNotFoundError:
        return (False, f"The file {Fore.CYAN}`{file}`{Fore.RESET} wasn't found")
    except yaml.YAMLError as e:
--- a/autogpts/autogpt/tests/unit/test_plugins.py
+++ b/autogpts/autogpt/tests/unit/test_plugins.py
@@ -88,7 +88,7 @@ def test_create_base_config(config: Config):

    # Check the saved config file
    with open(config.plugins_config_file, "r") as saved_config_file:
-        saved_config = yaml.load(saved_config_file, Loader=yaml.FullLoader)
+        saved_config = yaml.load(saved_config_file, Loader=yaml.SafeLoader)

    assert saved_config == {
        "a": {"enabled": True, "config": {}},