-
-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Safe load 'included' yaml files #589
Conversation
Codecov Report
@@ Coverage Diff @@
## master #589 +/- ##
=====================================
Coverage 100% 100%
=====================================
Files 20 20
Lines 1369 1369
=====================================
Hits 1369 1369
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for starting on this. It looks like this test already exists which is reassuring.
Feel free to merge this and raise a new PR with your next changes or continue working here.
It might be interesting to see if we can add a test which fails if the exploit can be abused, then #580 can be closed when it passes.
I'm wondering why As for your suggestion on creating a test to see if the exploit can be abused, sounds like a good thing to have so I'll try to write something like that, thanks for the suggestion 👍 --EDIT-- def test_yaml_load_exploit(self):
opsdroid, loader = self.setup()
config = loader.load_config_file("tests/configs/exploit.yaml")
self.assertIsNotNone(config)
> self.assertFalse(config)
E AssertionError: {'welcome-message': True, 'connectors': [{'name': 'shell', 'bot-name': 'mybot'}, {'name': 'websocket', 'bot-name': 'mybot', 'max-connections': 10, 'connection-timeout': 10}], 'skills': [{'name': 'dance'}, {'name': 'hello'}, {'name': 'loudnoises'}, {'name': 'seen'}]} is not false The issue is when we use For the sake of consistency I tried to import the code straight from the loader ( I assume that opsdroid will just use the config example file if the file used for the configuration file doesn't have a specific name (I believe this is the case if memory doesn't fail me). Finally, I am going to suppose that the biggest issue to opsdroid is indeed the |
d572919
to
d4b405c
Compare
I'm not sure if you saw my second edit in which I mentioned a NoneType, but I figured out the issue. It was because I forgot to delete one empty line (doh!) I have tested on my end to include another yaml file to the @jacobtomlinson I would just like your opinion about the other |
These changes look good. I'm not entirely sure what to do about the other safe load. I would recommend merging this now and then investigating it further in a new PR. |
Description
This is the first baby-step to replace
yaml.load
withyaml.safe_load
. Currently, I have changed how the command!include
loads a new file into the configuration - mostly because this is the first bit where people could exploit the vulnerabilities ofyaml.load
.When I tried to replace load with safe_load on lines
loader:229-232
the texts failed as everything was returning None, so I will need to do some further testing to see why safe_load is not loading the file properly.Another thing I need to do will be testing opsdroid with an included file and see if it works without any issue.
Fixes #580
Status
READY| UNDER DEVELOPMENT |ON HOLDType of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
!include file
- returns NoneType (needs further investigation)Checklist: