Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Use 'yaml.safe_load' in 'load_yaml_from_docstring' #278
It doesn't look like there's been much activity by PyYAML to move forward with making
The PyYAML security vulnerability is being flagged for our FEC API.
Please let me know if you have any questions, and thanks!
Sorry, I had a look the other day because we had a warning from pyup.io/safety-ci and forgot to comment here.
Here's my understanding (can be incorrect / incomplete):
pyyaml has had two ways to load yaml docstrings for a while, the normal and the safe. The safe is meant to be used when loading yaml strings from unknown sources, because the normal allows code injection. Since users overlooked this and used the normal way to parse input data, they decided it was safer to make safe the default. This was done in 4.1 thanks to yaml/pyyaml#74. But then for some reasons, this lead to issues (yaml/pyyaml#187) and the 4.1 was sort of retracted and the commit was reverted (yaml/pyyaml#194) and they hope to find a nice way out for 4.2 (yaml/pyyaml#193).
Meanwhile, a CVS was reported to account for the fact that default load is not safe, which had been the case since the beginning. It was a known issue, since
And now, people using dependencies security issues tracking solutions get warnings because
In our case, the docstring being parsed is not external data, it is written by the developer of the application, so I see no reason to use
This said, I don't know exactly the downsides of using
Yet, assuming I understood everything correctly, this would only serve the purpose of silencing a spurious security warning.
I may be wrong and if it is simpler to use
Thanks for your replies, @sloria and @lafrech. Everything I've read has indicated that it's best to use
From my quick search through the issues @lafrech posted and some other sources, there doesn't appear to be any downside to using
@lbeaufort Would you like to send the PR?