fixed Arbitrary Code Execution in httprunner

[B3EF]

📊 Metadata *

Fixed Arbitrary code execution

Bounty URL:https://www.huntr.dev/bounties/1-pip-httprunner/

⚙️ Description *

HttpRunner is a simple & elegant, yet powerful HTTP(S) testing framework.

💻 Technical Description *

changed the unsafe loader to safe loader

🐛 Proof of Concept (PoC) *

🔥 Proof of Fix (PoF) *

👍 User Acceptance Testing (UAT)

payload dosn't work after the fix

[huntr-helper]

👋 Hello, @debugtalk - @B3EF has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@debugtalk & @B3EF - thank you for your efforts in securing the world’s open source code! 🎉

[Anon-Artist]

@debugtalk you can read the pdf below for more information
https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf?utm_source=dlvr.it&utm_medium=twitter