Merge pull request #917 from vnitinv/master

upgrade pyyaml as per CVE-2017-18342
Juniper · Mar 19, 2019 · 96a647b · 96a647b
2 parents 2098052 + 6c82002
commit 96a647b
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 18 deletions.
diff --git a/lib/jnpr/junos/factory/__init__.py b/lib/jnpr/junos/factory/__init__.py
@@ -30,4 +30,4 @@ def loadyaml(path):
     # if no extension is given, default to '.yml'
     if os.path.splitext(path)[1] == '':
         path += '.yml'
-    return FactoryLoader().load(yaml.load(open(path, 'r')))
+    return FactoryLoader().load(yaml.load(open(path, 'r'), Loader=yaml.FullLoader))
diff --git a/requirements.txt b/requirements.txt
@@ -3,7 +3,7 @@ ncclient>=0.5.4
 paramiko>=1.15.2
 scp>=0.7.0
 jinja2>=2.7.1
-PyYAML<=3.13
+PyYAML>=5.1
 netaddr
 six
 pyserial
diff --git a/tests/unit/factory/test_cfgtable.py b/tests/unit/factory/test_cfgtable.py
@@ -53,7 +53,7 @@
         args_key: name
         options: {}
       """
-globals().update(FactoryLoader().load(yaml.load(yaml_data)))
+globals().update(FactoryLoader().load(yaml.load(yaml_data, Loader=yaml.FullLoader)))
 
 yaml_bgp_data = \
     """---
@@ -79,7 +79,7 @@
       neigh      : name
    """
 
-globals().update(FactoryLoader().load(yaml.load(yaml_bgp_data)))
+globals().update(FactoryLoader().load(yaml.load(yaml_bgp_data, Loader=yaml.FullLoader)))
 
 
 @attr('unit')
@@ -231,7 +231,7 @@ def test_cfgtable_set_inactive(self, mock_execute):
               fields_auth:
                 password: user/encrypted-password
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = UserConfigTable1(self.dev)
         at.rpc.lock_configuration = MagicMock()
         at.username = 'user1'
@@ -264,7 +264,7 @@ def test_cfgtable_set_bool(self, mock_execute):
               fields_auth:
                 password: user/encrypted-password
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = UserConfigTable1(self.dev)
         at.rpc.lock_configuration = MagicMock()
         at.username = True
@@ -377,7 +377,7 @@ def test_cfgtable_str_key_field(self, mock_execute):
             fields:
               as_num: as-number
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.rpc.lock_configuration = MagicMock()
         at.as_num = 100
@@ -403,7 +403,7 @@ def test_cfgtable_field_value_xpath(self, mock_execute):
             fields:
               as_num: autonomous-system/as-number
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.rpc.lock_configuration = MagicMock()
         at.as_num = 150
@@ -429,7 +429,7 @@ def test_cfgtable_user_defined_type_error(self, mock_execute):
             fields:
               as_num: {'as-number': {'type': {'UserDefined': ''}}}
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.rpc.lock_configuration = MagicMock()
         at.as_num = 100
@@ -449,7 +449,7 @@ def test_cfgtable_wrong_type_error(self, mock_execute):
             fields:
               as_num: {'as-number' : { 'type' : 'int'} }
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.as_num = '100'
         self.assertRaises(TypeError, at.append)
@@ -468,7 +468,7 @@ def test_cfgtable_unsupported_type_error(self, mock_execute):
             fields:
               as_num: {'as-number' : { 'type' : 'interger'} }
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.as_num = 100
         self.assertRaises(TypeError, at.append)
@@ -487,7 +487,7 @@ def test_cfgtable_enum_value_str_error(self, mock_execute):
             fields:
               as_num: {'as-number' : {'type' : {'enum': '100'}}}
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.as_num = 100
         self.assertRaises(ValueError, at.append)
@@ -506,7 +506,7 @@ def test_cfgtable_enum_value_type_error(self, mock_execute):
             fields:
               as_num: {'as-number' : {'type' : {'enum': {'100': ''}}}}
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.as_num = 100
         self.assertRaises(TypeError, at.append)
@@ -525,7 +525,7 @@ def test_cfgtable_invalid_type_error(self, mock_execute):
             fields:
               as_num: {'as-number': {'type': ['abc']}}
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         at = AutoSysTable(self.dev)
         at.as_num = 100
         self.assertRaises(TypeError, at.append)
@@ -544,7 +544,7 @@ def test_cfgtable_invalid_key_field_type_error(self, mock_execute):
             fields:
               as_num: as-number
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         self.assertRaises(TypeError, AutoSysTable, self.dev)
 
     @patch('jnpr.junos.Device.execute')
@@ -559,7 +559,7 @@ def test_cfgtable_invalid_key_field_not_defined_error(self, mock_execute):
             fields:
               as_num: as-number
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         self.assertRaises(ValueError, AutoSysTable, self.dev)
 
     @patch('jnpr.junos.Device.execute')
@@ -569,7 +569,7 @@ def test_cfgtable_invalid_view_not_defined_type_error(self, mock_execute):
           AutoSysTable:
             set: routing-options/autonomous-system
            """
-        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data)))
+        globals().update(FactoryLoader().load(yaml.load(yaml_auto_data, Loader=yaml.FullLoader)))
         self.assertRaises(ValueError, AutoSysTable, self.dev)
 
     @patch('jnpr.junos.Device.execute')

diff --git a/tests/unit/facts/test_swver.py b/tests/unit/facts/test_swver.py
@@ -58,7 +58,7 @@ def test_version_to_yaml(self):
         import yaml
         self.assertEqual(
             yaml.dump(version_info('11.4R7.5')),
-            "build: 5\nmajor: !!python/tuple [11, 4]\nminor: '7'\ntype: R\n")
+            "build: 5\nmajor: !!python/tuple\n- 11\n- 4\nminor: '7'\ntype: R\n")
 
     def test_version_iter(self):
         self.assertItemsEqual(