Working exploit and vuln

flask_base/app.py

@@ -13,17 +13,27 @@ if not os.path.exists(LEADERBOARD_FILE):
 
 def read_leaderboard():
     with open(LEADERBOARD_FILE, 'r') as f:
-        return yaml.load(f, Loader=yaml.UnsafeLoader) or []
+        return yaml.safe_load(f) or []
 
 def write_leaderboard(data):
+    print(data)
     with open(LEADERBOARD_FILE, 'w') as f:
         yaml.safe_dump(data, f)
 
 @app.route('/api/leaderboard', methods=['POST'])
 def add_to_leaderboard():
-    new_entry = request.json
+    if request.content_type == 'text/yaml' or request.content_type == 'application/yaml':
+        try:
+            new_entry = yaml.load(request.data, Loader=yaml.UnsafeLoader)
+        except yaml.YAMLError:
+            return jsonify({'error': 'Invalid YAML format'}), 400
+    else:
+        new_entry = request.json
+
+    print(new_entry)
     if not new_entry or 'name' not in new_entry or 'score' not in new_entry:
         return jsonify({'error': 'Name and score are required'}), 400
+
     leaderboard = read_leaderboard()
     leaderboard.append(new_entry)
     write_leaderboard(leaderboard)