Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use yaml.safe_load instead of yaml.load #506

Merged
merged 3 commits into from
Jan 8, 2019
Merged

Use yaml.safe_load instead of yaml.load #506

merged 3 commits into from
Jan 8, 2019

Conversation

julianolf
Copy link
Contributor

As explained on issue #453 the use of the yaml.load function allows the execution of arbitrary python commands what is quite dangerous and discouraged, the problem can be solved by simply using the function safe_load instead.

In additional, two tests were added to ensure that safe_load is working as expected by properly loading valid yaml files and avoiding the execution of unstrusted commands.

Solves issue #453.

@BoboTiG
Copy link
Collaborator

BoboTiG commented Jan 8, 2019

Hello @julianolf, thank you very much for addressing this issue.

However I would prefer keeping test files using pytest format instead of unittest. I would rewrote to something like that:

# -*- coding: utf-8 -*-
from __future__ import unicode_literals

import os

from watchdog import watchmedo

import pytest
import yaml


def test_load_config_valid(tmpdir):
    """Verifies the load of a valid yaml file"""

    yaml_file = os.path.join(tmpdir, 'config_file.yaml')
    with open(yaml_file, "w") as f:
        f.write('one: value\ntwo:\n- value1\n- value2\n')

    config = watchmedo.load_config(yaml_file)
    assert isinstance(config, dict)
    assert 'one' in config
    assert 'two' in config
    assert isinstance(config['two'], list)
    assert config['one'] == 'value'
    assert config['two'] == ['value1', 'value2']


def test_load_config_invalid(tmpdir):
    """Verifies if safe load avoid the execution
    of untrusted code inside yaml files"""

    critical_dir = os.path.join(tmpdir, 'critical')
    yaml_file = os.path.join(tmpdir, 'tricks_file.yaml')
    with open(yaml_file, "w") as f:
        content = (
            'one: value\n'
            'run: !!python/object/apply:os.system ["mkdir {}"]\n'
        ).format(critical_dir)
        f.write(content)

    with pytest.raises(yaml.constructor.ConstructorError):
        watchmedo.load_config(yaml_file)

    assert not os.path.exists(critical_dir)

Do you mind using this version or a similar one using pytest?

@julianolf
Copy link
Contributor Author

Do you mind using this version or a similar one using pytest?

Hi @BoboTiG, not at all, I'm going to switch to use your version of the tests and send a new commit. I was actually concerned on how write those tests as I saw most of the existing tests was using pytest with one or two exceptions. I should've asked first. Anyway, thanks for the feedback. :)

@BoboTiG BoboTiG merged commit 48701f3 into gorakhargosh:master Jan 8, 2019
@BoboTiG
Copy link
Collaborator

BoboTiG commented Jan 8, 2019

Thanks 💪

@BoboTiG BoboTiG mentioned this pull request Jan 8, 2019
Closed
@julianolf julianolf deleted the yaml_safe_load branch January 11, 2019 13:35
@fluffy-critter fluffy-critter mentioned this pull request Jan 16, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@julianolf @BoboTiG