Skip to content
This repository has been archived by the owner on Feb 25, 2020. It is now read-only.

Commit

Permalink
Use released version of PyYaml with safe_load
Browse files Browse the repository at this point in the history
Using the beta version may include the security fix, but it causes
installation issues.  Using safe_load is safe across versions according
to yaml/pyyaml#207.
  • Loading branch information
sverch committed Mar 2, 2019
1 parent 422e145 commit c9ca67e
Show file tree
Hide file tree
Showing 8 changed files with 31 additions and 21 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]
### Changed
- Use old non prerelease PyYaml version but use safe_yaml for security.

## [0.0.8] - 2019-03-01
### Added
Expand Down
36 changes: 21 additions & 15 deletions Pipfile.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion cloudless/cli/service.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ def service_create(ctx, network, name, blueprint, var_file=None, count=None):
"""
if var_file:
with open(var_file, 'r') as stream:
var_file_contents = yaml.load(stream)
var_file_contents = yaml.safe_load(stream)
else:
var_file_contents = {}
network_object = get_network_for_cli(ctx, network)
Expand Down
2 changes: 1 addition & 1 deletion cloudless/profile.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def load(self):
if not os.path.exists(self.config_path):
return None
with open(self.config_path, 'r') as config_file:
return yaml.load(config_file)
return yaml.safe_load(config_file)

def save(self, config):
"""
Expand Down
2 changes: 1 addition & 1 deletion cloudless/util/blueprint.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ class Blueprint:
def __init__(self, blueprint, blueprint_path="./"):
logger.debug("Creating blueprint from data: %s", blueprint)
try:
self.blueprint = yaml.load(blueprint)
self.blueprint = yaml.safe_load(blueprint)
except yaml.YAMLError as exc:
logger.error("Error parsing blueprint: %s", exc)
raise exc
Expand Down
2 changes: 1 addition & 1 deletion cloudless/util/blueprint_test_configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ class BlueprintTestConfiguration:
def __init__(self, config):
with open(config, 'r') as stream:
try:
self.config = yaml.load(stream)
self.config = yaml.safe_load(stream)
except yaml.YAMLError as exc:
logger.error("Error parsing config: %s", exc)
raise exc
Expand Down
2 changes: 1 addition & 1 deletion cloudless/util/image_build_configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ class ImageBuildConfiguration:
def __init__(self, config):
with open(config, 'r') as stream:
try:
self.config = yaml.load(stream)
self.config = yaml.safe_load(stream)
except yaml.YAMLError as exc:
logger.error("Error parsing config: %s", exc)
raise exc
Expand Down
4 changes: 3 additions & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,9 @@
REQUIRED = [
'boto3>=1.9.39,<1.10.0',
'botocore>=1.12.39,<1.13.0',
'PyYaml>=4.2b1,<4.3',
# This is vulnerable to https://github.com/yaml/pyyaml/issues/207, but unfortunately there's no
# released version that fixes that at this moment. For now, use safe_load everywhere.
'PyYaml>=3.13,<4.3',
'jinja2>=2.10,<3.0',
# This pytest dependency is only for the module tester. Perhaps this should
# be a separate module eventually.
Expand Down

0 comments on commit c9ca67e

Please sign in to comment.