PyYAML Deprecation of Full Loader method

[burncycl]

Hello,

The j2cli 0.3.5.post1, Jinja2 2.10 is broken, as it calls a deprecated and vulnerable method (FullLoader) in PyYAML.

Please reference:

• https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
• CVE-2017-18342 status yaml/pyyaml#207

Traceback (most recent call last):
File "./venv/bin/j2", line 10, in
sys.exit(main())
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/cli.py", line 175, in main
sys.argv[1:]
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/cli.py", line 141, in render_command
args.import_env
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/context.py", line 192, in read_context_data
context = FORMATSformat
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/context.py", line 88, in _parse_yaml
return yaml.load(data_string, Loader=yaml.FullLoader)
AttributeError: module 'yaml' has no attribute 'FullLoader'

[kolypto]

Wow I messed up! Sorry :)
I removed the new release from pypi for now. Will fix it in a day or two, and will make sure I understand what I'm doing :D

[burncycl]

We import j2cli in a virtual environment at runtime. That said, I modified our requirements.txt to reference the tagged fix. This resolved the issue. Albiet a hacky temporary fix.
py3_requirements.txt

#j2cli[yaml] # Temporarily deprecated due to security issue.
git+git://github.com/kolypto/j2cli.git@v0.3.6
PyYAML==5.1

Thanks for your software and support!

[kolypto]

Fixed in 0.3.6.post1.
I hope it works for you now! :)

[burncycl]

Nuked the virtual enviroment, and remade it with just the following:

py3_requirements.txt

j2cli[yaml]

Works!

Can verify the proper version is installed from within the sourced virtual environment:

(venv) $ j2 --version
j2cli 0.3.6.post1, Jinja2 2.10

Thanks again for your support! Have a great one!