Skip to content

Deprecate .add_pyobj and .get_pypbj and stop recommending them in documentation (fixes #96) #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 2, 2017
Merged

Deprecate .add_pyobj and .get_pypbj and stop recommending them in documentation (fixes #96) #101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,13 @@ Or add a directory recursively:
'Name': 'fake_dir'}]
```

This module also contains some helper functions for adding strings, json, and even python objects to IPFS:
This module also contains some helper functions for adding strings and JSON to IPFS:

```py
>>> lst = [1, 77, 'lol']
>>> api.add_pyobj(lst)
'QmRFqz1ABQtbMBDfjpMubTaginvpVnf58Y87gheRzGfe4i'
>>> api.get_pyobj(_)
>>> client.add_json(lst)
'QmQ4R5cCUYBWiJpNL7mFe4LDrwD6qBr5Re17BoRAY9VNpd'
>>> client.get_json(_)
[1, 77, 'lol']
```

Expand Down
22 changes: 21 additions & 1 deletion ipfsapi/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from __future__ import absolute_import

import os
import warnings

from . import http, multipart, utils, exceptions, encoding

Expand Down Expand Up @@ -2126,6 +2127,14 @@ def get_json(self, multihash, **kwargs):
def add_pyobj(self, py_obj, **kwargs):
"""Adds a picklable Python object as a file to IPFS.

.. deprecated:: 0.4.2
The ``*_pyobj`` APIs allow for arbitrary code execution if abused.
Either switch to :meth:`~ipfsapi.Client.add_json` or use
``client.add_bytes(pickle.dumps(py_obj))`` instead.

Please see :meth:`~ipfsapi.Client.get_pyobj` for the
**security risks** of using these methods!

.. code-block:: python

>>> c.add_pyobj([0, 1.0, 2j, '3', 4e5])
Expand All @@ -2140,18 +2149,27 @@ def add_pyobj(self, py_obj, **kwargs):
-------
str : Hash of the added IPFS object
"""
warnings.warn("Using `*_pyobj` on untrusted data is a security risk",
DeprecationWarning)
return self.add_bytes(encoding.Pickle().encode(py_obj), **kwargs)

def get_pyobj(self, multihash, **kwargs):
"""Loads a pickled Python object from IPFS.

.. deprecated:: 0.4.2
The ``*_pyobj`` APIs allow for arbitrary code execution if abused.
Either switch to :meth:`~ipfsapi.Client.get_json` or use
``pickle.loads(client.cat(multihash))`` instead.

.. caution::

The pickle module is not intended to be secure against erroneous or
maliciously constructed data. Never unpickle data received from an
untrusted or unauthenticated source.

See the :mod:`pickle` module documentation for more information.
Please **read**
`this article <https://www.cs.uic.edu/%7Es/musings/pickle/>`_ to
understand the security risks of using this method!

.. code-block:: python

Expand All @@ -2167,4 +2185,6 @@ def get_pyobj(self, multihash, **kwargs):
-------
object : Deserialized IPFS Python object
"""
warnings.warn("Using `*_pyobj` on untrusted data is a security risk",
DeprecationWarning)
return self.cat(multihash, decoder='pickle', **kwargs)