Build: use safe_open for security reasons (#10165)

* Build: use `safe_open` for security reasons Use `safe_open` instead of global open for security reasons. * Remove outdated comments
readthedocs · Mar 20, 2023 · 5dab68d · 5dab68d
1 parent ed732c2
commit 5dab68d
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 4 deletions.
diff --git a/readthedocs/doc_builder/director.py b/readthedocs/doc_builder/director.py
@@ -7,6 +7,7 @@
 from django.utils.translation import gettext_lazy as _
 
 from readthedocs.builds.constants import EXTERNAL
+from readthedocs.core.utils.filesystem import safe_open
 from readthedocs.doc_builder.config import load_yaml_config
 from readthedocs.doc_builder.exceptions import BuildUserError
 from readthedocs.doc_builder.loader import get_builder_class
@@ -643,7 +644,7 @@ def store_readthedocs_build_yaml(self):
             return
 
         try:
-            with open(yaml_path, "r") as f:
+            with safe_open(yaml_path, "r") as f:
                 data = yaml.safe_load(f)
         except Exception:
             # NOTE: skip this work for now until we decide whether or not this

diff --git a/readthedocs/proxito/views/hosting.py b/readthedocs/proxito/views/hosting.py
@@ -26,12 +26,9 @@ def get(self, request):
         unresolved_domain = request.unresolved_domain
         project = unresolved_domain.project
 
-        # TODO: why the UnresolvedURL object is not injected in the `request` by the middleware.
-        # Is is fine to calculate it here?
         unresolved_url = unresolver.unresolve_url(url)
         version = unresolved_url.version
 
-        # TODO: use Referrer header or GET arguments for Version / Build
         project.get_default_version()
         build = version.builds.last()