Commit Graph

95 Commits

Author SHA1 Message Date
xuyong
3b30a99471 backup pyyaml from 6.0 to 5.4.1
Signed-off-by: xuyong <xuyong59@huawei.com>
2022-03-16 17:10:07 +08:00
Ingy döt Net
c2743653bc The yaml.load{,_all} functions require Loader= now 2021-09-23 14:43:55 -07:00
Ingy döt Net
2f87ac4838 Add a basic test file for yaml.load and yaml.dump 2021-09-23 14:43:02 -07:00
Tina Müller
8f27932796 Fix float resolver for '.' and '._'
A single dot matches the official YAML 1.1 int regex.
This was probably unintended. The regex now requires at least
a digit before or after the dot.
2021-09-23 14:42:00 -07:00
Thom Smith
575d2f46db Use with statements to eliminate ResourceWarnings 2021-09-23 14:42:00 -07:00
Tina Müller
b3d2d674b7 Add a test for the YAML 1.1 types 2021-09-23 14:42:00 -07:00
Thom Smith
961ce9dcf5 Fix issue with representing Enum types 2021-09-23 14:42:00 -07:00
Thom Smith
f20947ae25 Move code from lib3 to lib 2021-09-22 15:52:05 +02:00
Thom Smith
dc0c4c1441 Remove 2.7 support 2021-09-22 15:52:05 +02:00
Ovv
ddf20330be constructor.timezone: __copy_ & __deepcopy__
close #387
2021-01-13 16:58:40 -05:00
Ingy döt Net
a001f27825 Fix for CVE-2020-14343
Per suggestion https://github.com/yaml/pyyaml/issues/420#issuecomment-663888344
move a few constructors from full_load to unsafe_load.
2021-01-13 16:58:40 -05:00
Brad Solomon
89f608599d Build modernization (GHA, wheels, setuptools) (#407)
* Move most CI to GitHub Actions
* Build sdist
* Build manylinux1 wheels with libyaml ext (also tested with 2010 and 2014)
* Build MacOS x86_64 wheels with libyaml ext
* Windows wheel builds remain on AppVeyor until we drop 2.7 support in 6.0
* Smoke tests of all post-build artifacts
* Add PEP517/518 build declaration (pyproject.toml with setuptools backend)
* Fully move build to setuptools
* Drop Python 3.5 support
* Declare Python 3.9 support
* Update PyPI metadata now that setuptools lets it flow through

Co-authored-by: Matt Davis <mrd@redhat.com>
2021-01-13 16:58:40 -05:00
Ingy döt Net
8a01c99c63 Move test files back into tests/data/ 2020-03-18 21:58:22 +01:00
Riccardo Schirone
5080ba5133
Prevents arbitrary code execution during python/object/new constructor (#386)
* Prevents arbitrary code execution during python/object/new constructor

In FullLoader python/object/new constructor, implemented by
construct_python_object_apply, has support for setting the state of a
deserialized instance through the set_python_instance_state method.
After setting the state, some operations are performed on the instance
to complete its initialization, however it is possible for an attacker
to set the instance' state in such a way that arbitrary code is executed
by the FullLoader.

This patch tries to block such attacks in FullLoader by preventing
set_python_instance_state from setting arbitrary properties. It
implements a blacklist that includes `extend` method (called by
construct_python_object_apply) and all special methods (e.g. __set__,
__setitem__, etc.).

Users who need special attributes being set in the state of a
deserialized object can still do it through the UnsafeLoader, which
however should not be used on untrusted input. Additionally, they can
subclass FullLoader and redefine `get_state_keys_blacklist()` to
extend/replace the list of blacklisted keys, passing the subclassed
loader to yaml.load.

* Make sure python/object/new constructor does not set some properties

* Add test to show how to subclass FullLoader with new blacklist
2020-03-17 19:09:55 +01:00
Tina Müller (tinita)
4fcdcdbf60 Add tests for timezone (#363)
After #163, this adds some test data to check if the datetime objects
return the correct timezone
2019-12-20 20:38:46 +01:00
Dwight Guth
e1ffe1afaa increase size of index, line, and column fields (#310)
* increase size of index, line, and column fields

* use size_t instead of unsigned long long

* better test infrastructure for test for large file

* only run large file test when env var is set

* fix review comments regarding env vars

* fix missing import on python 3

* force all tests in CI
2019-12-20 20:38:46 +01:00
Hugo van Kemenade
f1ab37df44 Fix for Python 3.10 (#329) 2019-12-20 20:38:46 +01:00
Tina Müller
a826f546c2 Enable certain unicode tests when maxunicode not > 0xffff
They were disabled in d6cbff6620

After #351 the tests are working again
2019-12-20 20:38:46 +01:00
Tina Müller (tinita)
03b378d039
Allow add_multi_constructor with None (#358)
Loader.add_multi_constructor(None, myconstructor)

Also add test for add_multi_constructor('!', ...) etc.

See issue #317
2019-12-07 22:40:48 +01:00
Filip Salomonsson
5a0cfab86f Fix handling of __slots__ (#161) 2019-12-07 22:34:23 +01:00
Tina Müller
d6cbff6620 Skip certain unicode tests when maxunicode not > 0xffff 2019-03-12 16:22:31 -07:00
Tina Müller
07c88c6c1b Allow to turn off sorting keys in Dumper 2019-03-08 09:09:48 -08:00
Tina Müller
857dff153d Apply FullLoader/UnsafeLoader changes to lib3 2019-03-08 09:09:48 -08:00
Ingy döt Net
0cedb2a069 Deprecate/warn usage of yaml.load(input)
The `load` and `load_all` methods will issue a warning when they are
called without the 'Loader=' parameter. The warning will point to a URL
that is always up to date with the latest information on the usage of
`load`.

There are several ways to stop the warning:

* Use `full_load(input)` - sugar for `yaml.load(input, FullLoader)`
  * FullLoader is the new safe but complete loader class
* Use `safe_load(input)` - sugar for `yaml.load(input, SafeLoader)`
  * Make sure your input YAML consists of the 'safe' subset
* Use `unsafe_load(input)` - sugar for `yaml.load(input, UnsafeLoader)`
  * Make sure your input YAML consists of the 'safe' subset
* Use `yaml.load(input, Loader=yaml.<loader>)`
  * Or shorter `yaml.load(input, yaml.<loader>)`
  * Where '<loader>' can be:
    * FullLoader - safe, complete Python YAML loading
    * SafeLoader - safe, partial Python YAML loading
    * UnsafeLoader - more explicit name for the old, unsafe 'Loader' class
* yaml.warnings({'YAMLLoadWarning': False})
  * Use this when you use third party modules that use `yaml.load(input)`
  * Only do this if input is trusted

The above `load()` expressions all have `load_all()` counterparts.

You can get the original unsafe behavior with:
* `yaml.unsafe_load(input)`
* `yaml.load(input, Loader=yaml.UnsafeLoader)`

In a future release, `yaml.load(input)` will raise an exception.

The new loader called FullLoader is almost entirely complete as
Loader/UnsafeLoader but it does it avoids all known code execution
paths. It is the preferred YAML loader, and the current default for
`yaml.load(input)` when you get the warning.

Here are some of the exploits that can be triggered with UnsafeLoader
but not with FullLoader:
```
python -c 'import os, yaml; yaml.full_load("!!python/object/new:os.system [echo EXPLOIT!]")'`
python -c 'import yaml; print yaml.full_load("!!python/object/new:abs [-5]")'
python -c 'import yaml; yaml.full_load("!!python/object/new:eval [exit(5)]")' ; echo $?
python -c 'import yaml; yaml.full_load("!!python/object/new:exit [5]")' ; echo $?
2019-03-08 09:09:48 -08:00
Ingy döt Net
ccc40f3e2b Reverting https://github.com/yaml/pyyaml/pull/74
Revert "Make pyyaml safe by default."

This reverts commit bbcf95fa05.
This reverts commit 7b68405c81.
This reverts commit 517e83e805.
2018-06-30 15:46:56 -07:00
Alex Gaynor
bbcf95fa05 Now, for py3k! 2017-08-26 10:26:01 -05:00
Alex Gaynor
7b68405c81 Make pyyaml safe by default.
Change yaml.load/yaml.dump to be yaml.safe_load/yaml.safe_dump, introduced yaml.danger_dump/yaml.danger_load, and the same for various other classes.

(python2 only at this moment)

Refs #5
2017-08-26 10:26:01 -05:00
Peter Murphy
c67d8df8e4 Suspicious 'expected an exception' messages trimmed 2017-05-10 07:53:42 +10:00
Peter Murphy
c60232d69a Added emoticon test data files (which will probably break testing) 2017-05-09 23:07:36 +10:00
Daniel Beer
c5b135fe39 Allow colon in a plain scalar in a flow context (#45)
* Allow colon in a plain scalar in a flow context

* Restore behavior of flow mapping with empty value
2017-02-08 13:50:53 -06:00
Kirill Simonov
eb9932ac1c Fixed handling --verbose flag in the test appliance. 2016-08-25 22:24:45 -05:00
Kirill Simonov
7eeba34467 removed a test which fails when wheel is imported. 2016-06-16 23:01:38 -05:00
Kirill Simonov
491508b042 Raise an error when test suite failed. 2016-06-15 20:28:10 -05:00
Kirill Simonov
7e1b5fae0b Clear cyclic references in the parser and the emitter to avoid extra GC calls. 2011-05-30 02:51:30 +00:00
Kirill Simonov
1626bb30f5 Fixed tests on the Windows platform. 2009-08-31 09:09:21 +00:00
Kirill Simonov
3889e354cf Fixed another encoding issue. 2009-08-31 08:47:05 +00:00
Kirill Simonov
335c34455d Fixed a problem with a scanner error not detected when no line break at the end of the stream. 2009-08-29 22:12:45 +00:00
Kirill Simonov
fa14e18b38 Fixed emitting of invalid BOM for UTF-16. 2009-08-29 20:59:56 +00:00
Kirill Simonov
706e36ab64 Fixed a problem when CDumper incorrectly serializes a node anchor. 2009-08-29 19:15:31 +00:00
Kirill Simonov
6a62e8e7e0 Final touches before the release. 2008-12-30 18:18:53 +00:00
Kirill Simonov
e2bf4f3a03 Minor compatibility fixes. 2008-12-30 14:55:47 +00:00
Kirill Simonov
bf272b0339 Fixed str/bytes issues with Python 3 in _yaml.pyx. 2008-12-30 13:30:52 +00:00
Kirill Simonov
5f5e9a9494 Handle the encoding of input and output streams in a uniform way. 2008-12-30 04:02:04 +00:00
Kirill Simonov
7d5f9450cf Use Cython if available; added Python 3 support to _yaml.pyx. 2008-12-29 23:21:43 +00:00
Kirill Simonov
ab8d940469 Share data files between Py2 and Py3 test suites. 2008-12-29 19:05:11 +00:00
Kirill Simonov
8e88d11b41 Minor 2.3 and win32 compatibility fixes; clarify the 'feature not found' message in setup.py. 2008-12-28 21:42:35 +00:00
Kirill Simonov
1e842301f4 Fixed an issue with ReaderError generated by the LibYAML wrapper. 2008-12-28 20:41:41 +00:00
Kirill Simonov
aff84ff195 Refactored the test suite; updated include and library paths in setup.cfg. 2008-12-28 20:16:50 +00:00
Kirill Simonov
93f64d3c79 Fixed test errors for LibYAML bindings; added a test on emitting nodes in all possible styles. 2008-12-27 19:09:03 +00:00
Kirill Simonov
7baeadf46f Minor fixes in the test subsystem to prevent failures in LibYAML bindings tests. 2008-12-27 14:54:07 +00:00