Summary
In numbast/src/numbast/experimental/mlir/tools/static_binding_generator.py, the custom YAML tag !numbast_join is registered on the global yaml.Loader (unsafe), and yaml.load calls use yaml.Loader as the loader class.
While the YAML files loaded here are controlled config files (not arbitrary user input), using the unsafe loader is a latent security and correctness risk that should be addressed.
Affected locations
- Line 46:
yaml.add_constructor("!numbast_join", string_constructor) — registers on the global unsafe loader
- Lines 59–60:
yaml.load(f, yaml.Loader) in _cfg_path_uses_mlir_backend
- Lines 262–264:
yaml.load(f, yaml.Loader) in Config.from_yaml_path
Proposed fix
Define a SafeLoader subclass and register the custom constructor on it only:
class NumbastConfigLoader(yaml.SafeLoader):
pass
NumbastConfigLoader.add_constructor("!numbast_join", string_constructor)Then update all yaml.load call sites to use Loader=NumbastConfigLoader.
References
/cc @isVoid
Summary
In
numbast/src/numbast/experimental/mlir/tools/static_binding_generator.py, the custom YAML tag!numbast_joinis registered on the globalyaml.Loader(unsafe), andyaml.loadcalls useyaml.Loaderas the loader class.While the YAML files loaded here are controlled config files (not arbitrary user input), using the unsafe loader is a latent security and correctness risk that should be addressed.
Affected locations
yaml.add_constructor("!numbast_join", string_constructor)— registers on the global unsafe loaderyaml.load(f, yaml.Loader)in_cfg_path_uses_mlir_backendyaml.load(f, yaml.Loader)inConfig.from_yaml_pathProposed fix
Define a
SafeLoadersubclass and register the custom constructor on it only:Then update all
yaml.loadcall sites to useLoader=NumbastConfigLoader.References
/cc @isVoid