From a1ffe15142218705e4bf867fcddf701ae986f9c5 Mon Sep 17 00:00:00 2001
From: Matheus Oliveira <matheudev@gmail.com>
Date: Fri, 22 Mar 2024 10:45:07 -0300
Subject: security(agent): Replace unsafe `pyyaml` loader with `SafeLoader`
 (#7035)

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
---
 autogpts/autogpt/autogpt/commands/file_operations_utils.py       | 2 +-
 autogpts/autogpt/autogpt/config/ai_directives.py                 | 2 +-
 autogpts/autogpt/autogpt/config/ai_profile.py                    | 2 +-
 autogpts/autogpt/autogpt/core/resource/model_providers/openai.py | 2 +-
 autogpts/autogpt/autogpt/plugins/plugins_config.py               | 2 +-
 autogpts/autogpt/autogpt/utils.py                                | 2 +-
 autogpts/autogpt/tests/unit/test_plugins.py                      | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/autogpts/autogpt/autogpt/commands/file_operations_utils.py b/autogpts/autogpt/autogpt/commands/file_operations_utils.py
index da65bafaa..e9dcae41b 100644
--- a/autogpts/autogpt/autogpt/commands/file_operations_utils.py
+++ b/autogpts/autogpt/autogpt/commands/file_operations_utils.py
@@ -68,7 +68,7 @@ class XMLParser(ParserStrategy):
 # Reading as dictionary and returning string format
 class YAMLParser(ParserStrategy):
     def read(self, file: BinaryIO) -> str:
-        data = yaml.load(file, Loader=yaml.FullLoader)
+        data = yaml.load(file, Loader=yaml.SafeLoader)
         text = str(data)
         return text
 
diff --git a/autogpts/autogpt/autogpt/config/ai_directives.py b/autogpts/autogpt/autogpt/config/ai_directives.py
index 6b5aa4375..5e2957ef3 100644
--- a/autogpts/autogpt/autogpt/config/ai_directives.py
+++ b/autogpts/autogpt/autogpt/config/ai_directives.py
@@ -32,7 +32,7 @@ class AIDirectives(BaseModel):
             raise RuntimeError(f"File validation failed: {message}")
 
         with open(prompt_settings_file, encoding="utf-8") as file:
-            config_params = yaml.load(file, Loader=yaml.FullLoader)
+            config_params = yaml.load(file, Loader=yaml.SafeLoader)
 
         return AIDirectives(
             constraints=config_params.get("constraints", []),
diff --git a/autogpts/autogpt/autogpt/config/ai_profile.py b/autogpts/autogpt/autogpt/config/ai_profile.py
index 970f8278c..3f0043c79 100644
--- a/autogpts/autogpt/autogpt/config/ai_profile.py
+++ b/autogpts/autogpt/autogpt/config/ai_profile.py
@@ -35,7 +35,7 @@ class AIProfile(BaseModel):
 
         try:
             with open(ai_settings_file, encoding="utf-8") as file:
-                config_params = yaml.load(file, Loader=yaml.FullLoader) or {}
+                config_params = yaml.load(file, Loader=yaml.SafeLoader) or {}
         except FileNotFoundError:
             config_params = {}
 
diff --git a/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py b/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py
index dfaa4ff03..69bfffb30 100644
--- a/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py
+++ b/autogpts/autogpt/autogpt/core/resource/model_providers/openai.py
@@ -257,7 +257,7 @@ class OpenAICredentials(ModelProviderCredentials):
 
     def load_azure_config(self, config_file: Path) -> None:
         with open(config_file) as file:
-            config_params = yaml.load(file, Loader=yaml.FullLoader) or {}
+            config_params = yaml.load(file, Loader=yaml.SafeLoader) or {}
 
         try:
             assert config_params.get(
diff --git a/autogpts/autogpt/autogpt/plugins/plugins_config.py b/autogpts/autogpt/autogpt/plugins/plugins_config.py
index 0494b6e38..ad96d4a37 100644
--- a/autogpts/autogpt/autogpt/plugins/plugins_config.py
+++ b/autogpts/autogpt/autogpt/plugins/plugins_config.py
@@ -72,7 +72,7 @@ class PluginsConfig(BaseModel):
             )
 
         with open(plugins_config_file, "r") as f:
-            plugins_config = yaml.load(f, Loader=yaml.FullLoader)
+            plugins_config = yaml.load(f, Loader=yaml.SafeLoader)
 
         plugins = {}
         for name, plugin in plugins_config.items():
diff --git a/autogpts/autogpt/autogpt/utils.py b/autogpts/autogpt/autogpt/utils.py
index 4aa503a7b..18a7a6389 100644
--- a/autogpts/autogpt/autogpt/utils.py
+++ b/autogpts/autogpt/autogpt/utils.py
@@ -7,7 +7,7 @@ from colorama import Fore
 def validate_yaml_file(file: str | Path):
     try:
         with open(file, encoding="utf-8") as fp:
-            yaml.load(fp.read(), Loader=yaml.FullLoader)
+            yaml.load(fp.read(), Loader=yaml.SafeLoader)
     except FileNotFoundError:
         return (False, f"The file {Fore.CYAN}`{file}`{Fore.RESET} wasn't found")
     except yaml.YAMLError as e:
diff --git a/autogpts/autogpt/tests/unit/test_plugins.py b/autogpts/autogpt/tests/unit/test_plugins.py
index d7f57c91b..f180d92bc 100644
--- a/autogpts/autogpt/tests/unit/test_plugins.py
+++ b/autogpts/autogpt/tests/unit/test_plugins.py
@@ -88,7 +88,7 @@ def test_create_base_config(config: Config):
 
     # Check the saved config file
     with open(config.plugins_config_file, "r") as saved_config_file:
-        saved_config = yaml.load(saved_config_file, Loader=yaml.FullLoader)
+        saved_config = yaml.load(saved_config_file, Loader=yaml.SafeLoader)
 
     assert saved_config == {
         "a": {"enabled": True, "config": {}},
-- 
cgit v1.2.3