-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make pyyaml safe by default. #74
Conversation
Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes. (python2 only at this moment) Refs yaml#5
@sigmavirus24 I'd appreciate feedback on whether this looks correct to you -- and if it needs anything more. Once the py2 version looks good I'll apply the changes to the py3k versions of the code. |
Go ahead with the Python 3 versions of the code. 🎉 |
You are the greatest @alex |
This is a fantastic change! Probably the highlight of |
This comment has been minimized.
This comment has been minimized.
This is the changelog https://github.com/yaml/pyyaml/blob/master/CHANGES |
Thanks all. FYI, this issue was assigned CVE-2017-18342. |
@alex 😻 |
- known vulnerability in version <4.1 [1] [1] yaml/pyyaml#74
Alex Gaynor (4): Make pyyaml safe by default. wtf, how did this typo happen Now, for py3k! Changes for 4.1 release Andrey Somov (1): Remove redundant code in Scanner.peek_token() Anthony Sottile (1): Install cython alongside tox Daniel Beer (1): Allow colon in a plain scalar in a flow context (#45) Donald Stufft (4): Add a tox.ini to run tests Ignore common build/runtime artifacts Add Travis Support Fallback to Pure Python if Compilation fails Florian Bruhin (1): Import Hashable from collections.abc Hugo (1): Test on Python 3.7-dev Ian Cordasco (1): Install tox in a virtualenv Ingy döt Net (6): Revert PR #150 per @asomov Changes for 4.01 release Reverting yaml/pyyaml#74 Deprecate/warn usage of yaml.load(input) Update .travis.yml to use libyaml 0.2.2 Updates for 5.1 release Jakub Wilk (1): Fix typos Jon Dufresne (5): Document and test Python 3.6 support Use Travis CI built in pip cache support Remove tox workaround for Travis CI Remove commented out Psyco code Include license file in the generated wheel package Kirill Simonov (1): Added tag 3.12 for changeset 823acfc7b4ff Matt Davis (2): Squash/merge pull request #105 from nnadeau/patch-1 Windows Appveyor build Peter Murphy (5): A change to a message First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25 Added emoticon test data files (which will probably break testing) Suspicious 'expected an exception' messages trimmed Reverting README to old copy Timofei Bondarev (1): Improve RepresenterError creation Tina Müller (7): Support escaped slash in double quotes "\/" Force cython when building sdist Build libyaml on travis Apply FullLoader/UnsafeLoader changes to lib3 Allow to turn off sorting keys in Dumper Make default_flow_style=False Skip certain unicode tests when maxunicode not > 0xffff hsmtkk (1): add 3.12 changelog hugovk (1): Drop unsupported Python 3.3 psanchez (1): Resolves #57, update readme issues link scauligi (1): Fix for bug yaml/pyyaml#118
* Add the utf-8 byte order marker to simplify issues with loading to Excel * Brought tests suites inline with models.py, handle the utf-8 BOM, and expect bytes over the wire. * Whoops. params where they should have been. * Minor changes to cache invalidation to get rid of write access rqmt. * ugh tests. * get_cache should be type-hinting a str return, not bool. Also, I was returning both a datetime, or a str. Whoops. * sigh. tests. remember the tests. * - removed Beta banner - removed Bold links in some pages - add Terms and Conditions in footers * - removed temporary Google Analytics - add Content Security Policy on header - moved some inline javascript call to a external file * forgot one inline onclick javascript * - implemented a whitelist for report names that can be call via the app URL. for now : only one report name is allowed : compliance * - forgot one file * build package for public app * fix syntax errors * fire new job names * added logic to only display the donut for Public users * forgot to remove bold for links for modal (How to read this table?) * removed some unwanted space * put back Beta Banner * Minor tweaks to config to enable usage of Azure Managed Service Identities in combination with Azure KeyVault. * this time with updated req's * local ci would be great when you're sleep deprived. * removed secret name out of code * Removed headers due to duplication.. The upstream servers are also placing these headers, so removing from here. * Security Update: pyyaml bump to pull in safe_load Fixes this yaml/pyyaml#74. Note we were already using safe_load. * Security Update: pyyaml version bump yaml/pyyaml#74 * Paginate scroll to top * add semi-colon * - Implementation of Google Tag Manager GTM ID is stored in Environment variable called GOOGLE_TAG_MANAGER * fix typo * fix data-domain, can't use comma to enclose value, break if value have comma in domain name * removed CSP policies from HTML header. CSP is now implemented on Nginx server. * - some cleanup before merge to Master branch * - to fix Alerts from LGTM * Compatibility with kubernetes (cds-snc#127) * Modification for deploying on k8s * Small fix on dockerfile * Added CI workflow file * Ignore pip pinning in CI * defer datatable render (cds-snc#129) * Changed worker type and worker amount (cds-snc#130) * Added PR review app configuration; * Actually hit the right container * Take 2 * Upgraded deps (cds-snc#132) Bump dependencies for pymongo and flask_pymongo. Fixes time based connection issues. * Task default organizations (cds-snc#136) * - set default view to Organizations instead of Domains - removed logic to public and internal view since now we will have same view for internal/public users * - fix some accessibilities issues * - put back role=row for TR. If not present, Mobile view doesnt display the green plus button in By Organizations page * - for Accessibility : implement "Skip to main content" link at top of pages ( visible when Tab into focus) * update content for the Guidance page (cds-snc#137)
https://bugs.gentoo.org/659348 It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
Alex Gaynor (4): Make pyyaml safe by default. wtf, how did this typo happen Now, for py3k! Changes for 4.1 release Andrey Somov (1): Remove redundant code in Scanner.peek_token() Anthony Sottile (1): Install cython alongside tox Daniel Beer (1): Allow colon in a plain scalar in a flow context (#45) Donald Stufft (4): Add a tox.ini to run tests Ignore common build/runtime artifacts Add Travis Support Fallback to Pure Python if Compilation fails Florian Bruhin (1): Import Hashable from collections.abc Hugo (1): Test on Python 3.7-dev Ian Cordasco (1): Install tox in a virtualenv Ingy döt Net (6): Revert PR #150 per @asomov Changes for 4.01 release Reverting yaml/pyyaml#74 Deprecate/warn usage of yaml.load(input) Update .travis.yml to use libyaml 0.2.2 Updates for 5.1 release Jakub Wilk (1): Fix typos Jon Dufresne (5): Document and test Python 3.6 support Use Travis CI built in pip cache support Remove tox workaround for Travis CI Remove commented out Psyco code Include license file in the generated wheel package Kirill Simonov (1): Added tag 3.12 for changeset 823acfc7b4ff Matt Davis (4): Squash/merge pull request #105 from nnadeau/patch-1 Windows Appveyor build changes for 5.1.1 release changes for 5.1.2 release Peter Murphy (5): A change to a message First attack at pyyaml does not support literals in unicode over codepoint 0xffff #25 Added emoticon test data files (which will probably break testing) Suspicious 'expected an exception' messages trimmed Reverting README to old copy Timofei Bondarev (1): Improve RepresenterError creation Tina Müller (7): Support escaped slash in double quotes "\/" Force cython when building sdist Build libyaml on travis Apply FullLoader/UnsafeLoader changes to lib3 Allow to turn off sorting keys in Dumper Make default_flow_style=False Skip certain unicode tests when maxunicode not > 0xffff hsmtkk (1): add 3.12 changelog hugovk (1): Drop unsupported Python 3.3 psanchez (1): Resolves #57, update readme issues link scauligi (1): Fix for bug yaml/pyyaml#118
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
It is reported that in PyYAML before 4.1, usage of yaml.load() function on untrusted input could lead to arbitrary code execution. It is therefore recommended to use yaml.safe_load() instead. With 4.1, yaml.load() has been changed to call safe_load(). * Report: http://seclists.org/oss-sec/2018/q2/240 * Upstream change: yaml/pyyaml#74 * CVE: pending -- Gentoo Security Scout Vladimir Krstulja
- Update from 3.13 to 6.0 - Update of rootfile - Changelog 6.0 (2021-10-13) * yaml/pyyaml#327 -- Change README format to Markdown * yaml/pyyaml#483 -- Add a test for YAML 1.1 types * yaml/pyyaml#497 -- fix float resolver to ignore `.` and `._` * yaml/pyyaml#550 -- drop Python 2.7 * yaml/pyyaml#553 -- Fix spelling of “hexadecimal” * yaml/pyyaml#556 -- fix representation of Enum subclasses * yaml/pyyaml#557 -- fix libyaml extension compiler warnings * yaml/pyyaml#560 -- fix ResourceWarning on leaked file descriptors * yaml/pyyaml#561 -- always require `Loader` arg to `yaml.load()` * yaml/pyyaml#564 -- remove remaining direct distutils usage 5.4.1 (2021-01-20) * yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it 5.4 (2021-01-19) * yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA * yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader * yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup * yaml/pyyaml#392 -- Fix py2 copy support for timezone objects * yaml/pyyaml#378 -- Fix compatibility with Jython 5.3.1 (2020-03-18) * yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor 5.3 (2020-01-06) * yaml/pyyaml#290 -- Use `is` instead of equality for comparing with `None` * yaml/pyyaml#270 -- Fix typos and stylistic nit * yaml/pyyaml#309 -- Fix up small typo * yaml/pyyaml#161 -- Fix handling of __slots__ * yaml/pyyaml#358 -- Allow calling add_multi_constructor with None * yaml/pyyaml#285 -- Add use of safe_load() function in README * yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF * yaml/pyyaml#360 -- Enable certain unicode tests when maxunicode not > 0xffff * yaml/pyyaml#359 -- Use full_load in yaml-highlight example * yaml/pyyaml#244 -- Document that PyYAML is implemented with Cython * yaml/pyyaml#329 -- Fix for Python 3.10 * yaml/pyyaml#310 -- Increase size of index, line, and column fields * yaml/pyyaml#260 -- Remove some unused imports * yaml/pyyaml#163 -- Create timezone-aware datetimes when parsed as such * yaml/pyyaml#363 -- Add tests for timezone 5.2 (2019-12-02) * Repair incompatibilities introduced with 5.1. The default Loader was changed, but several methods like add_constructor still used the old default yaml/pyyaml#279 -- A more flexible fix for custom tag constructors yaml/pyyaml#287 -- Change default loader for yaml.add_constructor yaml/pyyaml#305 -- Change default loader for add_implicit_resolver, add_path_resolver * Make FullLoader safer by removing python/object/apply from the default FullLoader yaml/pyyaml#347 -- Move constructor for object/apply to UnsafeConstructor * Fix bug introduced in 5.1 where quoting went wrong on systems with sys.maxunicode <= 0xffff yaml/pyyaml#276 -- Fix logic for quoting special characters * Other PRs: yaml/pyyaml#280 -- Update CHANGES for 5.1 5.1.2 (2019-07-30) * Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b2+ 5.1.1 (2019-06-05) * Re-release of 5.1 with regenerated Cython sources to build properly for Python 3.8b1 5.1 (2019-03-13) * yaml/pyyaml#35 -- Some modernization of the test running * yaml/pyyaml#42 -- Install tox in a virtualenv * yaml/pyyaml#45 -- Allow colon in a plain scalar in a flow context * yaml/pyyaml#48 -- Fix typos * yaml/pyyaml#55 -- Improve RepresenterError creation * yaml/pyyaml#59 -- Resolves #57, update readme issues link * yaml/pyyaml#60 -- Document and test Python 3.6 support * yaml/pyyaml#61 -- Use Travis CI built in pip cache support * yaml/pyyaml#62 -- Remove tox workaround for Travis CI * yaml/pyyaml#63 -- Adding support to Unicode characters over codepoint 0xffff * yaml/pyyaml#75 -- add 3.12 changelog * yaml/pyyaml#76 -- Fallback to Pure Python if Compilation fails * yaml/pyyaml#84 -- Drop unsupported Python 3.3 * yaml/pyyaml#102 -- Include license file in the generated wheel package * yaml/pyyaml#105 -- Removed Python 2.6 & 3.3 support * yaml/pyyaml#111 -- Remove commented out Psyco code * yaml/pyyaml#129 -- Remove call to `ord` in lib3 emitter code * yaml/pyyaml#149 -- Test on Python 3.7-dev * yaml/pyyaml#158 -- Support escaped slash in double quotes "\/" * yaml/pyyaml#175 -- Updated link to pypi in release announcement * yaml/pyyaml#181 -- Import Hashable from collections.abc * yaml/pyyaml#194 -- Reverting yaml/pyyaml#74 * yaml/pyyaml#195 -- Build libyaml on travis * yaml/pyyaml#196 -- Force cython when building sdist * yaml/pyyaml#254 -- Allow to turn off sorting keys in Dumper (2) * yaml/pyyaml#256 -- Make default_flow_style=False * yaml/pyyaml#257 -- Deprecate yaml.load and add FullLoader and UnsafeLoader classes * yaml/pyyaml#261 -- Skip certain unicode tests when maxunicode not > 0xffff * yaml/pyyaml#263 -- Windows Appveyor build Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --git a/config/rootfiles/packages/python3-yaml b/config/rootfiles/packages/python3-yaml x 0870a2346..bd4009a08 100644 * yaml/pyyaml#195 -- Build libyaml on travis * yaml/pyyaml#196 -- Force cython when building sdist * yaml/pyyaml#254 -- Allow to turn off sorting keys in Dumper (2) * yaml/pyyaml#256 -- Make default_flow_style=False * yaml/pyyaml#257 -- Deprecate yaml.load and add FullLoader and Uns oader classes * yaml/pyyaml#261 -- Skip certain unicode tests when maxunicode not xffff * yaml/pyyaml#263 -- Windows Appveyor build Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes.
(python2 only at this moment)
Fixes #5