From eda5ba9770976af63e35ec269e183fb621df8d74 Mon Sep 17 00:00:00 2001
From: Tuomas Suutari <tuomas.suutari@anders.fi>
Date: Wed, 10 Jul 2019 14:57:13 +0300
Subject: [PATCH] Use yaml.safe_load to read the configuration

Use "yaml.safe_load" rather than the unsafe "yaml.load" to load the
configuration file.

Using bare "yaml.load" allows arbitary commands being executed from the
configuration file, which we probably don't want to allow.  See the link
below for details.

This fixes the following deprecation warning:

    YAMLLoadWarning: calling yaml.load() without Loader=... is
    deprecated, as the default Loader is unsafe. Please read
    https://msg.pyyaml.org/load for full details.
---
 database_sanitizer/config.py            | 2 +-
 database_sanitizer/tests/test_config.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/database_sanitizer/config.py b/database_sanitizer/config.py
index 83b3e9b..e341b82 100644
--- a/database_sanitizer/config.py
+++ b/database_sanitizer/config.py
@@ -46,7 +46,7 @@ def from_file(cls, filename):
         instance = cls()
 
         with open(filename, "rb") as file_stream:
-            config_data = yaml.load(file_stream)
+            config_data = yaml.safe_load(file_stream)
 
         instance.load(config_data)
 
diff --git a/database_sanitizer/tests/test_config.py b/database_sanitizer/tests/test_config.py
index 3487996..2b0bfeb 100644
--- a/database_sanitizer/tests/test_config.py
+++ b/database_sanitizer/tests/test_config.py
@@ -10,7 +10,7 @@
 
 
 @mock.patch.object(config, 'open')
-@mock.patch('yaml.load')
+@mock.patch('yaml.safe_load')
 def test_from_file(mocked_yaml_load, mocked_open):
     mocked_yaml_load.return_value = {}