Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add software plan blocks #30

Merged
merged 3 commits into from May 22, 2019
Merged

Add software plan blocks #30

merged 3 commits into from May 22, 2019

Conversation

johndgiese
Copy link
Contributor

No description provided.

@johndgiese
Add more blocks
a7124eb
@johndgiese
Switch from FullLoader to SafeLoader
87938af 
The FullLoader was added in a new version of YAML, and thus breaks
installs with older versions.  We likely only need the safe subset of
YAML anyway, so for now, just switch to the SafeLoader.
@johndgiese
Bump version
66b8a50
@johndgiese johndgiese requested a review from orwonthe May 22, 2019 16:42
orwonthe
orwonthe reviewed May 22, 2019
View reviewed changes
rdm/util.py
@@ -73,7 +73,7 @@ def context_from_data_files(data_filenames):
with open(data_filename, 'r') as data_file:
data_string = data_file.read()
try:
data = yaml.load(data_string, Loader=yaml.FullLoader)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change eliminates the ability to have the yaml contain any custom objects we have imported. Is this necessary? From yaml/pyyaml#257 ...

We added a new loader class called FullLoader, and we made it the default for
load(). This class is almost as complete for serialization as
UnsafeLoader/Loader, but it avoids arbitrary code execution. We don't expect it
will break any code in the wild.

We still recommend that people choose SafeLoader for untrusted data, but
aribitrary code execution will no longer be possible using yaml.load() with
the default loader (FullLoader). FullLoader will instantiate objects of classes
that you have imported. Since object instantiation runs the class's constructor
code, that may be exploitable.

orwonthe
orwonthe approved these changes May 22, 2019
View reviewed changes
Copy link
Contributor

@orwonthe orwonthe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good but see comment on SafeLoader vs FullLoader

@johndgiese johndgiese merged commit ef39ad1 into master May 22, 2019
@johndgiese johndgiese deleted the add-software-plan-blocks branch May 22, 2019 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orwonthe orwonthe orwonthe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@johndgiese @orwonthe