pyyaml/tests/lib/test_errors.py


import yaml, test_emitter

def test_loader_error(error_filename, verbose=False):
    try:
        list(yaml.load_all(open(error_filename, 'rb'), yaml.FullLoader))
    except yaml.YAMLError, exc:
        if verbose:
            print "%s:" % exc.__class__.__name__, exc
    else:
        raise AssertionError("expected an exception")

test_loader_error.unittest = ['.loader-error']

def test_loader_error_string(error_filename, verbose=False):
    try:
        list(yaml.load_all(open(error_filename, 'rb').read(), yaml.FullLoader))
    except yaml.YAMLError, exc:
        if verbose:
            print "%s:" % exc.__class__.__name__, exc
    else:
        raise AssertionError("expected an exception")

test_loader_error_string.unittest = ['.loader-error']

def test_loader_error_single(error_filename, verbose=False):
    try:
        yaml.load(open(error_filename, 'rb').read(), yaml.FullLoader)
    except yaml.YAMLError, exc:
        if verbose:
            print "%s:" % exc.__class__.__name__, exc
    else:
        raise AssertionError("expected an exception")

test_loader_error_single.unittest = ['.single-loader-error']

def test_emitter_error(error_filename, verbose=False):
    events = list(yaml.load(open(error_filename, 'rb'),
                    Loader=test_emitter.EventsLoader))
    try:
        yaml.emit(events)
    except yaml.YAMLError, exc:
        if verbose:
            print "%s:" % exc.__class__.__name__, exc
    else:
        raise AssertionError("expected an exception")

test_emitter_error.unittest = ['.emitter-error']

def test_dumper_error(error_filename, verbose=False):
    code = open(error_filename, 'rb').read()
    try:
        import yaml
        from StringIO import StringIO
        exec code
    except yaml.YAMLError, exc:
        if verbose:
            print "%s:" % exc.__class__.__name__, exc
    else:
        raise AssertionError("expected an exception")

test_dumper_error.unittest = ['.dumper-error']

if __name__ == '__main__':
    import test_appliance
    test_appliance.run(globals())
scanner: use infinitive verb after auxiliary word could Could, as well as should, shall, must, may, can, might, etc. are auxiliary words. After an auxiliary word should come an infinitive verb. 2015-04-04 13:25:24 -03:00
			`import yaml, test_emitter`

			`def test_loader_error(error_filename, verbose=False):`
			`try:`
Deprecate/warn usage of yaml.load(input) The `load` and `load_all` methods will issue a warning when they are called without the 'Loader=' parameter. The warning will point to a URL that is always up to date with the latest information on the usage of `load`. There are several ways to stop the warning: * Use `full_load(input)` - sugar for `yaml.load(input, FullLoader)` * FullLoader is the new safe but complete loader class * Use `safe_load(input)` - sugar for `yaml.load(input, SafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `unsafe_load(input)` - sugar for `yaml.load(input, UnsafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `yaml.load(input, Loader=yaml.<loader>)` * Or shorter `yaml.load(input, yaml.<loader>)` * Where '<loader>' can be: * FullLoader - safe, complete Python YAML loading * SafeLoader - safe, partial Python YAML loading * UnsafeLoader - more explicit name for the old, unsafe 'Loader' class * yaml.warnings({'YAMLLoadWarning': False}) * Use this when you use third party modules that use `yaml.load(input)` * Only do this if input is trusted The above `load()` expressions all have `load_all()` counterparts. You can get the original unsafe behavior with: * `yaml.unsafe_load(input)` * `yaml.load(input, Loader=yaml.UnsafeLoader)` In a future release, `yaml.load(input)` will raise an exception. The new loader called FullLoader is almost entirely complete as Loader/UnsafeLoader but it does it avoids all known code execution paths. It is the preferred YAML loader, and the current default for `yaml.load(input)` when you get the warning. Here are some of the exploits that can be triggered with UnsafeLoader but not with FullLoader: ``` python -c 'import os, yaml; yaml.full_load("!!python/object/new:os.system [echo EXPLOIT!]")'` python -c 'import yaml; print yaml.full_load("!!python/object/new:abs [-5]")' python -c 'import yaml; yaml.full_load("!!python/object/new:eval [exit(5)]")' ; echo $? python -c 'import yaml; yaml.full_load("!!python/object/new:exit [5]")' ; echo $? 2019-02-17 19:22:58 -08:00			`list(yaml.load_all(open(error_filename, 'rb'), yaml.FullLoader))`
scanner: use infinitive verb after auxiliary word could Could, as well as should, shall, must, may, can, might, etc. are auxiliary words. After an auxiliary word should come an infinitive verb. 2015-04-04 13:25:24 -03:00			`except yaml.YAMLError, exc:`
			`if verbose:`
			`print "%s:" % exc.__class__.__name__, exc`
			`else:`
			`raise AssertionError("expected an exception")`

			`test_loader_error.unittest = ['.loader-error']`

			`def test_loader_error_string(error_filename, verbose=False):`
			`try:`
Deprecate/warn usage of yaml.load(input) The `load` and `load_all` methods will issue a warning when they are called without the 'Loader=' parameter. The warning will point to a URL that is always up to date with the latest information on the usage of `load`. There are several ways to stop the warning: * Use `full_load(input)` - sugar for `yaml.load(input, FullLoader)` * FullLoader is the new safe but complete loader class * Use `safe_load(input)` - sugar for `yaml.load(input, SafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `unsafe_load(input)` - sugar for `yaml.load(input, UnsafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `yaml.load(input, Loader=yaml.<loader>)` * Or shorter `yaml.load(input, yaml.<loader>)` * Where '<loader>' can be: * FullLoader - safe, complete Python YAML loading * SafeLoader - safe, partial Python YAML loading * UnsafeLoader - more explicit name for the old, unsafe 'Loader' class * yaml.warnings({'YAMLLoadWarning': False}) * Use this when you use third party modules that use `yaml.load(input)` * Only do this if input is trusted The above `load()` expressions all have `load_all()` counterparts. You can get the original unsafe behavior with: * `yaml.unsafe_load(input)` * `yaml.load(input, Loader=yaml.UnsafeLoader)` In a future release, `yaml.load(input)` will raise an exception. The new loader called FullLoader is almost entirely complete as Loader/UnsafeLoader but it does it avoids all known code execution paths. It is the preferred YAML loader, and the current default for `yaml.load(input)` when you get the warning. Here are some of the exploits that can be triggered with UnsafeLoader but not with FullLoader: ``` python -c 'import os, yaml; yaml.full_load("!!python/object/new:os.system [echo EXPLOIT!]")'` python -c 'import yaml; print yaml.full_load("!!python/object/new:abs [-5]")' python -c 'import yaml; yaml.full_load("!!python/object/new:eval [exit(5)]")' ; echo $? python -c 'import yaml; yaml.full_load("!!python/object/new:exit [5]")' ; echo $? 2019-02-17 19:22:58 -08:00			`list(yaml.load_all(open(error_filename, 'rb').read(), yaml.FullLoader))`
scanner: use infinitive verb after auxiliary word could Could, as well as should, shall, must, may, can, might, etc. are auxiliary words. After an auxiliary word should come an infinitive verb. 2015-04-04 13:25:24 -03:00			`except yaml.YAMLError, exc:`
			`if verbose:`
			`print "%s:" % exc.__class__.__name__, exc`
			`else:`
			`raise AssertionError("expected an exception")`

			`test_loader_error_string.unittest = ['.loader-error']`

			`def test_loader_error_single(error_filename, verbose=False):`
			`try:`
Deprecate/warn usage of yaml.load(input) The `load` and `load_all` methods will issue a warning when they are called without the 'Loader=' parameter. The warning will point to a URL that is always up to date with the latest information on the usage of `load`. There are several ways to stop the warning: * Use `full_load(input)` - sugar for `yaml.load(input, FullLoader)` * FullLoader is the new safe but complete loader class * Use `safe_load(input)` - sugar for `yaml.load(input, SafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `unsafe_load(input)` - sugar for `yaml.load(input, UnsafeLoader)` * Make sure your input YAML consists of the 'safe' subset * Use `yaml.load(input, Loader=yaml.<loader>)` * Or shorter `yaml.load(input, yaml.<loader>)` * Where '<loader>' can be: * FullLoader - safe, complete Python YAML loading * SafeLoader - safe, partial Python YAML loading * UnsafeLoader - more explicit name for the old, unsafe 'Loader' class * yaml.warnings({'YAMLLoadWarning': False}) * Use this when you use third party modules that use `yaml.load(input)` * Only do this if input is trusted The above `load()` expressions all have `load_all()` counterparts. You can get the original unsafe behavior with: * `yaml.unsafe_load(input)` * `yaml.load(input, Loader=yaml.UnsafeLoader)` In a future release, `yaml.load(input)` will raise an exception. The new loader called FullLoader is almost entirely complete as Loader/UnsafeLoader but it does it avoids all known code execution paths. It is the preferred YAML loader, and the current default for `yaml.load(input)` when you get the warning. Here are some of the exploits that can be triggered with UnsafeLoader but not with FullLoader: ``` python -c 'import os, yaml; yaml.full_load("!!python/object/new:os.system [echo EXPLOIT!]")'` python -c 'import yaml; print yaml.full_load("!!python/object/new:abs [-5]")' python -c 'import yaml; yaml.full_load("!!python/object/new:eval [exit(5)]")' ; echo $? python -c 'import yaml; yaml.full_load("!!python/object/new:exit [5]")' ; echo $? 2019-02-17 19:22:58 -08:00			`yaml.load(open(error_filename, 'rb').read(), yaml.FullLoader)`
scanner: use infinitive verb after auxiliary word could Could, as well as should, shall, must, may, can, might, etc. are auxiliary words. After an auxiliary word should come an infinitive verb. 2015-04-04 13:25:24 -03:00			`except yaml.YAMLError, exc:`
			`if verbose:`
			`print "%s:" % exc.__class__.__name__, exc`
			`else:`
			`raise AssertionError("expected an exception")`

			`test_loader_error_single.unittest = ['.single-loader-error']`

			`def test_emitter_error(error_filename, verbose=False):`
			`events = list(yaml.load(open(error_filename, 'rb'),`
			`Loader=test_emitter.EventsLoader))`
			`try:`
			`yaml.emit(events)`
			`except yaml.YAMLError, exc:`
			`if verbose:`
			`print "%s:" % exc.__class__.__name__, exc`
			`else:`
			`raise AssertionError("expected an exception")`

			`test_emitter_error.unittest = ['.emitter-error']`

			`def test_dumper_error(error_filename, verbose=False):`
			`code = open(error_filename, 'rb').read()`
			`try:`
			`import yaml`
			`from StringIO import StringIO`
			`exec code`
			`except yaml.YAMLError, exc:`
			`if verbose:`
			`print "%s:" % exc.__class__.__name__, exc`
			`else:`
			`raise AssertionError("expected an exception")`

			`test_dumper_error.unittest = ['.dumper-error']`

			`if __name__ == '__main__':`
			`import test_appliance`
			`test_appliance.run(globals())`