From 9c2d91e932e6ca15c3c1072e6b5877c39a89d128 Mon Sep 17 00:00:00 2001
From: "allan.silva" <allan.tavares@allantavares.com.br>
Date: Sun, 31 Mar 2019 01:34:06 -0300
Subject: [PATCH] Fix pyyaml security issues (#57)

* Fix security issues

* Fix security issues - bump version
---
 .bumpversion.cfg            |  2 +-
 setup.py                    |  2 +-
 specsynthase/specbuilder.py |  2 +-
 tests/test_specsynthase.py  | 10 +++++++---
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 85d47d7..28cff86 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.1.9
+current_version = 0.1.10
 
 [bumpversion:file:setup.py]
 
diff --git a/setup.py b/setup.py
index bd88e01..2ffbe1b 100644
--- a/setup.py
+++ b/setup.py
@@ -28,7 +28,7 @@ def get_requirements(req_file):
 
 setup(
     name='spec-synthase',
-    version='0.1.9',
+    version='0.1.10',
     license='MPL2',
     description='spec-synthase is a tool to help deal with big swagger files, by building the swagger specification files from little spec files. ',
     long_description=read('README.rst'),
diff --git a/specsynthase/specbuilder.py b/specsynthase/specbuilder.py
index c55b858..bde9b22 100644
--- a/specsynthase/specbuilder.py
+++ b/specsynthase/specbuilder.py
@@ -10,7 +10,7 @@ def __init__(self, *args, **kwargs):
 
     def _load_spec(self, file_name):
         with open(file_name, 'r') as spec_file:
-            return yaml.load(spec_file)
+            return yaml.load(spec_file, Loader=yaml.FullLoader)
 
     def _merge_part(self, key, part_dict):
         if part_dict:
diff --git a/tests/test_specsynthase.py b/tests/test_specsynthase.py
index 3a020d2..476a994 100644
--- a/tests/test_specsynthase.py
+++ b/tests/test_specsynthase.py
@@ -19,7 +19,9 @@ def _check_dicts(l, r):
 
 def test_build_fluent():
     base_dir = _get_base_dir()
-    full = yaml.load(open(path.join(base_dir, "full.yml")).read())
+    full = yaml.load(
+        open(path.join(base_dir, "full.yml")).read(),
+        Loader=yaml.FullLoader)
     spec = SpecBuilder().add_spec(path.join(base_dir, "security.yml"))\
                         .add_spec(path.join(base_dir, "base.yml"))\
                         .add_spec(path.join(base_dir, "definitions.yml"))\
@@ -39,7 +41,9 @@ def test_build_existing_key():
 def test_dump():
     base_dir = _get_base_dir()
     parts = ["base.yml", "definitions.yml", "paths.yml", "security.yml"]
-    full = yaml.load(open(path.join(base_dir, "full.yml")).read())
+    full = yaml.load(
+        open(path.join(base_dir, "full.yml")).read(),
+        Loader=yaml.FullLoader)
 
     spec = SpecBuilder()
     for p in parts:
@@ -47,7 +51,7 @@ def test_dump():
 
     # Dumping and reloading the yaml is slow, but we can't compare dumped
     # strings because of potential key ordering differences.
-    assert full == yaml.load(spec.dump())
+    assert full == yaml.load(spec.dump(), Loader=yaml.FullLoader)
 
 
 def test_validation_fail():