getcloudless · sverch · Mar 2, 2019 · Mar 2, 2019
diff --git a/CHANGELOG b/CHANGELOG
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Changed
+- Use old non prerelease PyYaml version but use safe_load for security.
 
 ## [0.0.8] - 2019-03-01
 ### Added

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/cloudless/cli/service.py b/cloudless/cli/service.py
@@ -38,7 +38,7 @@ def service_create(ctx, network, name, blueprint, var_file=None, count=None):
         """
         if var_file:
             with open(var_file, 'r') as stream:
-                var_file_contents = yaml.load(stream)
+                var_file_contents = yaml.safe_load(stream)
         else:
             var_file_contents = {}
         network_object = get_network_for_cli(ctx, network)

diff --git a/cloudless/profile.py b/cloudless/profile.py
@@ -22,7 +22,7 @@ def load(self):
         if not os.path.exists(self.config_path):
             return None
         with open(self.config_path, 'r') as config_file:
-            return yaml.load(config_file)
+            return yaml.safe_load(config_file)
 
     def save(self, config):
         """

diff --git a/cloudless/util/blueprint.py b/cloudless/util/blueprint.py
@@ -29,7 +29,7 @@ class Blueprint:
     def __init__(self, blueprint, blueprint_path="./"):
         logger.debug("Creating blueprint from data: %s", blueprint)
         try:
-            self.blueprint = yaml.load(blueprint)
+            self.blueprint = yaml.safe_load(blueprint)
         except yaml.YAMLError as exc:
             logger.error("Error parsing blueprint: %s", exc)
             raise exc

diff --git a/cloudless/util/blueprint_test_configuration.py b/cloudless/util/blueprint_test_configuration.py
@@ -19,7 +19,7 @@ class BlueprintTestConfiguration:
     def __init__(self, config):
         with open(config, 'r') as stream:
             try:
-                self.config = yaml.load(stream)
+                self.config = yaml.safe_load(stream)
             except yaml.YAMLError as exc:
                 logger.error("Error parsing config: %s", exc)
                 raise exc

diff --git a/cloudless/util/image_build_configuration.py b/cloudless/util/image_build_configuration.py
@@ -20,7 +20,7 @@ class ImageBuildConfiguration:
     def __init__(self, config):
         with open(config, 'r') as stream:
             try:
-                self.config = yaml.load(stream)
+                self.config = yaml.safe_load(stream)
             except yaml.YAMLError as exc:
                 logger.error("Error parsing config: %s", exc)
                 raise exc

diff --git a/setup.py b/setup.py
@@ -38,7 +38,9 @@
 REQUIRED = [
     'boto3>=1.9.39,<1.10.0',
     'botocore>=1.12.39,<1.13.0',
-    'PyYaml>=4.2b1,<4.3',
+    # This is vulnerable to https://github.com/yaml/pyyaml/issues/207, but unfortunately there's no
+    # released version that fixes that at this moment.  For now, use safe_load everywhere.
+    'PyYaml>=3.13,<4.3',
     'jinja2>=2.10,<3.0',
     # This pytest dependency is only for the module tester.  Perhaps this should
     # be a separate module eventually.