New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Med] Snyk - Arbitrary Code Execution (due 9/10) #3280
Comments
Partially addresses #3280 as it removes one of the packages that requires PyYAML.
There appears to be no release of PyYAML _on PyPI _ beyond 3.13 at this time - https://pypi.org/project/PyYAML/#history. There is a 4.1 release on GitHub but the fixes in it appear to be reversed in the 4.2 tree. Also, note that there is only a single dependency on PyYAML that remains - from The dependency from |
Given that the next PyYAML release is not out yet but is due soon (there are some beta releases), my recommendation is to wait on this for another sprint. Tagging @lbeaufort and @patphongs to inform Jay? |
Detailed discussion around the PyYAML release fiasco: yaml/pyyaml#193 |
Per Jay, risk assessment is moderate and we can follow-up in 6.5 |
changing the severity to HIGH as reported in snyk: |
@pkfec has Jay’s assessment of this issue changed? It looks like this is slated to be worked on this sprint, correct? |
@PaulClark2 per Jay, this issue is moderate. |
We should try ‘safe_load’: Screenly/Anthias#878 (comment) |
After discussing with @vrajmohan and putting in an issue to
|
Update: I put in a PR that was merged to the
|
Addressed by marshmallow-code/apispec#278 and #3362 |
Note - snyk is still flagging |
@justin5p here's a summary of this issue: The package that we use ( At this time, both flagged packages ( Going forward, it would be best to keep an eye on the latest PyYaml release to see if they fix the Please let me know if you have questions, thanks! |
Vulnerable module: PyYAML
Introduced through: project@0.0.0 › bandit@1.4.0 › PyYAML@3.13RemovedIntroduced through: project@0.0.0 › flask-apispec@0.6.0.post0 › apispec@0.19.0 › PyYAML@3.13
Introduced through: project@0.0.0 › apispec@0.19.0 › PyYAML@3.13
No current remediation path. Best choice is to see what we can swap out for other packages or remove.
After discussing with @vrajmohan and putting in an issue to
apispec
to address the PyYAML vulnerability, our best approach is to:yaml.safe_load()
and use those forked versions in our projectapispec
to the latest version if they make the changeThe text was updated successfully, but these errors were encountered: