Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix# 1982: Loading YAML Safely #1983

Merged
merged 5 commits into from Jan 7, 2019
Merged

Fix# 1982: Loading YAML Safely #1983

merged 5 commits into from Jan 7, 2019

Conversation

krtkvrm
Copy link
Member

@krtkvrm krtkvrm commented Jan 5, 2019
edited

Fixes: #1982

Updated PyYaml to 4.2b1

Prior to #74, yaml.load could run arbitrary python when parsing yaml, by design. #74 changed this so that by default, load didnt run python, and instead was an alias to safe_load. In this release, this was reverted, which means it's now a known security issue, hence the release of a security notice (CVE-2017-18342).
From : Security fixe reported by github #243

Directly Updated to 4.2b1 as 4.1 was retracted

Also, replaced yaml.load() with yaml.safe_load() in apps/challenges/views.py#L566

In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.
From : National Vulnerability Database : CVE-2017-18342

Edit: This PyYAML 4.2 Release Plan acts on reverting the PR : Make pyyaml safe by default. #74 which is still not closed.

Make PR to revert #74 ( #194 )

This, the commit Loading YAML Safely in this PR deals with this.

@krtkvrm krtkvrm changed the title Fix# 1982: Fixing CVE-2017-18342 in PyYaml Fix# 1982: Loading YAML Safely Jan 5, 2019
@krtkvrm
Copy link
Member Author

krtkvrm commented Jan 6, 2019

@RishabhJain2018 @deshraj Please Review

RishabhJain2018
RishabhJain2018 requested changes Jan 7, 2019
View reviewed changes
Copy link
Member

@RishabhJain2018 RishabhJain2018 left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vkartik97 This looks good though! Can you please add a link to the PR or the documentation in the description where it says PyYAML 4 loads the data safely by default.

@RishabhJain2018 RishabhJain2018 changed the title Fix# 1982: Loading YAML Safely [WIP] Fix# 1982: Loading YAML Safely Jan 7, 2019
@krtkvrm
Copy link
Member Author

krtkvrm commented Jan 7, 2019
edited

@RishabhJain2018

This PyYAML 4.2 Release Plan acts on reverting the PR : Make pyyaml safe by default. #74 which is still not closed.

Make PR to revert #74 ( #194 )

This, the commit Loading YAML Safely in this PR deals with this.

@krtkvrm krtkvrm changed the title [WIP] Fix# 1982: Loading YAML Safely Fix# 1982: Loading YAML Safely Jan 7, 2019
RishabhJain2018
RishabhJain2018 approved these changes Jan 7, 2019
View reviewed changes
Copy link
Member

@RishabhJain2018 RishabhJain2018 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :)

@RishabhJain2018 RishabhJain2018 merged commit b3abc4e into Cloud-CV:master Jan 7, 2019
Ayukha pushed a commit to Ayukha/EvalAI that referenced this pull request Jan 8, 2019
@krtkvrm @Ayukha
Fix# 1982: Fix security issue related to PyYAML dependency(Cloud-CV#1983
e54665d 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RishabhJain2018 RishabhJain2018 RishabhJain2018 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix potential vulnerabilities due to outdated requirements
2 participants
@krtkvrm @RishabhJain2018