fix: use safe_load for parsing yaml

jirikuncar · jirikuncar · commit 5383d1ebb15c · 2019-03-18T10:50:49.000+01:00
(closes #464)
diff --git a/renku/api/datasets.py b/renku/api/datasets.py
@@ -78,7 +78,7 @@ def with_dataset(self, name=None):
 
                 if path.exists():
                     with path.open('r') as f:
-                        source = yaml.load(f) or {}
+                        source = yaml.safe_load(f) or {}
                     dataset = Dataset.from_jsonld(source, __reference__=path)
 
             if dataset is None:
diff --git a/renku/api/repository.py b/renku/api/repository.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright 2018 - Swiss Data Science Center (SDSC)
+# Copyright 2018-2019 - Swiss Data Science Center (SDSC)
 # A partnership between École Polytechnique Fédérale de Lausanne (EPFL) and
 # Eidgenössische Technische Hochschule Zürich (ETHZ).
 #
@@ -191,7 +191,7 @@ def process_commit(self, commit=None, path=None):
         if path:
             data = (commit.tree / path).data_stream.read()
             process = CWLClass.from_cwl(
-                yaml.load(data), __reference__=Path(path)
+                yaml.safe_load(data), __reference__=Path(path)
             )
 
             return process.create_run(
@@ -294,7 +294,7 @@ def with_metadata(self):
 
             if self.renku_metadata_path.exists():
                 with metadata_path.open('r') as f:
-                    source = yaml.load(f) or {}
+                    source = yaml.safe_load(f) or {}
             else:
                 source = {}
 
diff --git a/renku/cli/_config.py b/renku/cli/_config.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright 2017 - Swiss Data Science Center (SDSC)
+# Copyright 2017-2019 - Swiss Data Science Center (SDSC)
 # A partnership between École Polytechnique Fédérale de Lausanne (EPFL) and
 # Eidgenössische Technische Hochschule Zürich (ETHZ).
 #
@@ -64,7 +64,7 @@ def read_config(path=None, final=False):
     """Read Renku configuration."""
     try:
         with open(config_path(path, final=final), 'r') as configfile:
-            return yaml.load(configfile) or {}
+            return yaml.safe_load(configfile) or {}
     except FileNotFoundError:
         return {}
 
diff --git a/renku/cli/migrate.py b/renku/cli/migrate.py
@@ -44,7 +44,7 @@ def datasets(ctx, client):
     with client.lock:
         for old_path in _dataset_metadata_pre_0_3_4(client):
             with old_path.open('r') as fp:
-                dataset = Dataset.from_jsonld(yaml.load(fp))
+                dataset = Dataset.from_jsonld(yaml.safe_load(fp))
 
             name = str(old_path.parent.relative_to(client.path / 'data'))
             new_path = (
diff --git a/renku/cli/runner.py b/renku/cli/runner.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright 2018 - Swiss Data Science Center (SDSC)
+# Copyright 2018-2019 - Swiss Data Science Center (SDSC)
 # A partnership between École Polytechnique Fédérale de Lausanne (EPFL) and
 # Eidgenössische Technische Hochschule Zürich (ETHZ).
 #
@@ -92,7 +92,7 @@ def rerun(client, run, job):
             args.append(job_file.name)
 
             with job_file as fp:
-                yaml.dump(yaml.load(job), stream=fp, encoding='utf-8')
+                yaml.dump(yaml.safe_load(job), stream=fp, encoding='utf-8')
 
         if run:
             return call(args, cwd=os.getcwd())
diff --git a/renku/models/_jsonld.py b/renku/models/_jsonld.py
@@ -356,7 +356,9 @@ def from_yaml(cls, path):
         import yaml
 
         with path.open(mode='r') as fp:
-            self = cls.from_jsonld(yaml.load(fp) or {}, __reference__=path)
+            self = cls.from_jsonld(
+                yaml.safe_load(fp) or {}, __reference__=path
+            )
 
         return self
 
diff --git a/renku/models/cwl/_ascwl.py b/renku/models/cwl/_ascwl.py
@@ -66,7 +66,7 @@ def from_yaml(cls, path):
         import yaml
 
         with path.open(mode='r') as fp:
-            self = cls.from_cwl(yaml.load(fp), __reference__=path)
+            self = cls.from_cwl(yaml.safe_load(fp), __reference__=path)
 
         return self
 
diff --git a/renku/models/provenance/activities.py b/renku/models/provenance/activities.py
@@ -413,7 +413,7 @@ def _load(step):
                 import yaml
                 data = (self.commit.tree / basedir /
                         step.run).data_stream.read()
-                return CWLClass.from_cwl(yaml.load(data))
+                return CWLClass.from_cwl(yaml.safe_load(data))
 
             return CWLClass.from_yaml(step.run)
 
diff --git a/tests/cli/test_output_option.py b/tests/cli/test_output_option.py
@@ -35,7 +35,7 @@ def test_without_an_output_option(runner, client, run):
     cwls = []
     for tool_path in tools:
         with tool_path.open('r') as f:
-            cwls.append(CWLClass.from_cwl(yaml.load(f)))
+            cwls.append(CWLClass.from_cwl(yaml.safe_load(f)))
 
     assert cwls[0].inputs != cwls[1].inputs
     assert cwls[0].outputs != cwls[1].outputs
@@ -55,7 +55,7 @@ def test_with_an_output_option(runner, client, run):
     cwls = []
     for tool_path in tools:
         with tool_path.open('r') as f:
-            cwls.append(CWLClass.from_cwl(yaml.load(f)))
+            cwls.append(CWLClass.from_cwl(yaml.safe_load(f)))
 
     assert cwls[0].inputs == cwls[1].inputs
     assert cwls[0].outputs == cwls[1].outputs
@@ -79,7 +79,7 @@ def test_output_directory_with_output_option(runner, client, run):
     cwls = []
     for tool_path in tools:
         with tool_path.open('r') as f:
-            cwls.append(CWLClass.from_cwl(yaml.load(f)))
+            cwls.append(CWLClass.from_cwl(yaml.safe_load(f)))
 
     assert cwls[0].inputs != cwls[1].inputs
     assert cwls[0].outputs != cwls[1].outputs
@@ -107,7 +107,7 @@ def test_output_directory_without_separate_outputs(runner, client, run):
     assert 1 == len(tools)
 
     with tools[0].open('r') as f:
-        cwl = CWLClass.from_cwl(yaml.load(f))
+        cwl = CWLClass.from_cwl(yaml.safe_load(f))
 
     assert 1 == len(cwl.outputs)
     assert 'Directory' == cwl.outputs[0].type
diff --git a/tests/test_cli.py b/tests/test_cli.py
@@ -173,7 +173,7 @@ def test_workflow(runner, project):
     assert result.exit_code == 0
 
     with open('workflow.cwl', 'r') as f:
-        workflow = Workflow.from_cwl(yaml.load(f))
+        workflow = Workflow.from_cwl(yaml.safe_load(f))
         assert workflow.steps[0].run.startswith('.renku/workflow/')
 
     # Compare default log and log for a specific file.
@@ -627,7 +627,7 @@ def test_modified_tool(runner, project, run):
 
     tool_path = tools[0]
     with tool_path.open('r') as f:
-        command_line_tool = CWLClass.from_cwl(yaml.load(f))
+        command_line_tool = CWLClass.from_cwl(yaml.safe_load(f))
 
     # Simulate a manual edit.
     command_line_tool.inputs[0].default = 'ahoj'
diff --git a/tests/test_cwl.py b/tests/test_cwl.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright 2018 - Swiss Data Science Center (SDSC)
+# Copyright 2018-2019 - Swiss Data Science Center (SDSC)
 # A partnership between École Polytechnique Fédérale de Lausanne (EPFL) and
 # Eidgenössische Technische Hochschule Zürich (ETHZ).
 #
@@ -346,4 +346,4 @@ def test_exitings_output_directory(client):
 
 def test_load_inputs_defined_as_type():
     """Test loading of CWL definition with specific input parameters."""
-    assert CWLClass.from_cwl(yaml.load(LINK_CWL))
+    assert CWLClass.from_cwl(yaml.safe_load(LINK_CWL))
diff --git a/tests/test_dataset.py b/tests/test_dataset.py
@@ -117,7 +117,7 @@ def test_data_add_recursive(directory_tree, client):
 def dataset_serialization(client, dataset, data_file):
     """Test deserializing a dataset object."""
     with open(dataset.path / 'metadata.yml', 'r') as f:
-        source = yaml.load(f)
+        source = yaml.safe_load(f)
 
     d = Dataset.from_jsonld(source)
     assert d.path == dataset.path
diff --git a/tests/test_projects.py b/tests/test_projects.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright 2018 - Swiss Data Science Center (SDSC)
+# Copyright 2018-2019 - Swiss Data Science Center (SDSC)
 # A partnership between École Polytechnique Fédérale de Lausanne (EPFL) and
 # Eidgenössische Technische Hochschule Zürich (ETHZ).
 #
@@ -62,7 +62,7 @@ def test_project_serialization():
 
 def test_project_metadata_compatibility():
     """Test loading of the initial version."""
-    project = Project.from_jsonld(yaml.load(PROJECT_V1))
+    project = Project.from_jsonld(yaml.safe_load(PROJECT_V1))
 
     assert project.name == 'demo'
     assert project.version == '1'

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`# -- coding: utf-8 --`
`2`	`2`	`#`
`3`		`-# Copyright 2018 - Swiss Data Science Center (SDSC)`
	`3`	`+# Copyright 2018-2019 - Swiss Data Science Center (SDSC)`
`4`	`4`	`# A partnership between École Polytechnique Fédérale de Lausanne (EPFL) and`
`5`	`5`	`# Eidgenössische Technische Hochschule Zürich (ETHZ).`
`6`	`6`	`#`
`@@ -92,7 +92,7 @@ def rerun(client, run, job):`
`92`	`92`	`args.append(job_file.name)`
`93`	`93`
`94`	`94`	`with job_file as fp:`
`95`		`- yaml.dump(yaml.load(job), stream=fp, encoding='utf-8')`
	`95`	`+ yaml.dump(yaml.safe_load(job), stream=fp, encoding='utf-8')`
`96`	`96`
`97`	`97`	`if run:`
`98`	`98`	`return call(args, cwd=os.getcwd())`