Switch YAML formatter to safe_dump and safe_load

This ensures that people only use this default formatter for data structures that we can trust.
lsst · Nov 4, 2020 · 8e9ebec · 8e9ebec
1 parent 80d5751
commit 8e9ebec
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/python/lsst/daf/butler/formatters/yaml.py b/python/lsst/daf/butler/formatters/yaml.py
@@ -65,7 +65,7 @@ def _readFile(self, path: str, pytype: Type[Any] = None) -> Any:
 
         Notes
         -----
-        The `~yaml.UnsafeLoader` is used when parsing the YAML file.
+        The `~yaml.SafeLoader` is used when parsing the YAML file.
         """
         try:
             with open(path, "rb") as fd:
@@ -90,8 +90,12 @@ def _fromBytes(self, serializedDataset: bytes, pytype: Optional[Type[Any]] = Non
         inMemoryDataset : `object`
             The requested data as an object, or None if the string could
             not be read.
+
+        Notes
+        -----
+        The `~yaml.SafeLoader` is used when parsing the YAML.
         """
-        data = yaml.load(serializedDataset, Loader=yaml.FullLoader)
+        data = yaml.safe_load(serializedDataset)
 
         try:
             data = data.exportAsDict()
@@ -115,6 +119,12 @@ def _writeFile(self, inMemoryDataset: Any) -> None:
         ------
         Exception
             The file could not be written.
+
+        Notes
+        -----
+        The `~yaml.SafeDumper` is used when generating the YAML serialization.
+        This will fail for data structures that have complex python classes
+        without a registered YAML representer.
         """
         with open(self.fileDescriptor.location.path, "wb") as fd:
             fd.write(self._toBytes(inMemoryDataset))
@@ -140,10 +150,16 @@ def _toBytes(self, inMemoryDataset: Any) -> bytes:
         ------
         Exception
             The object could not be serialized.
+
+        Notes
+        -----
+        The `~yaml.SafeDumper` is used when generating the YAML serialization.
+        This will fail for data structures that have complex python classes
+        without a registered YAML representer.
         """
         if hasattr(inMemoryDataset, "_asdict"):
             inMemoryDataset = inMemoryDataset._asdict()
-        return yaml.dump(inMemoryDataset).encode()
+        return yaml.safe_dump(inMemoryDataset).encode()
 
     def _coerceType(self, inMemoryDataset: Any, storageClass: StorageClass,
                     pytype: Optional[Type[Any]] = None) -> Any: