2015-04-04 13:25:24 -03:00
|
|
|
|
|
|
|
|
import yaml
|
|
|
|
|
|
|
|
|
|
class AnInstance:
|
|
|
|
|
|
|
|
|
|
def __init__(self, foo, bar):
|
|
|
|
|
self.foo = foo
|
|
|
|
|
self.bar = bar
|
|
|
|
|
|
|
|
|
|
def __repr__(self):
|
|
|
|
|
try:
|
|
|
|
|
return "%s(foo=%r, bar=%r)" % (self.__class__.__name__,
|
|
|
|
|
self.foo, self.bar)
|
|
|
|
|
except RuntimeError:
|
|
|
|
|
return "%s(foo=..., bar=...)" % self.__class__.__name__
|
|
|
|
|
|
|
|
|
|
class AnInstanceWithState(AnInstance):
|
|
|
|
|
|
|
|
|
|
def __getstate__(self):
|
|
|
|
|
return {'attributes': [self.foo, self.bar]}
|
|
|
|
|
|
|
|
|
|
def __setstate__(self, state):
|
|
|
|
|
self.foo, self.bar = state['attributes']
|
|
|
|
|
|
|
|
|
|
def test_recursive(recursive_filename, verbose=False):
|
|
|
|
|
exec open(recursive_filename, 'rb').read()
|
|
|
|
|
value1 = value
|
|
|
|
|
output1 = None
|
|
|
|
|
value2 = None
|
|
|
|
|
output2 = None
|
|
|
|
|
try:
|
2018-06-29 10:04:58 -07:00
|
|
|
output1 = yaml.dump(value1)
|
Deprecate/warn usage of yaml.load(input)
The `load` and `load_all` methods will issue a warning when they are
called without the 'Loader=' parameter. The warning will point to a URL
that is always up to date with the latest information on the usage of
`load`.
There are several ways to stop the warning:
* Use `full_load(input)` - sugar for `yaml.load(input, FullLoader)`
* FullLoader is the new safe but complete loader class
* Use `safe_load(input)` - sugar for `yaml.load(input, SafeLoader)`
* Make sure your input YAML consists of the 'safe' subset
* Use `unsafe_load(input)` - sugar for `yaml.load(input, UnsafeLoader)`
* Make sure your input YAML consists of the 'safe' subset
* Use `yaml.load(input, Loader=yaml.<loader>)`
* Or shorter `yaml.load(input, yaml.<loader>)`
* Where '<loader>' can be:
* FullLoader - safe, complete Python YAML loading
* SafeLoader - safe, partial Python YAML loading
* UnsafeLoader - more explicit name for the old, unsafe 'Loader' class
* yaml.warnings({'YAMLLoadWarning': False})
* Use this when you use third party modules that use `yaml.load(input)`
* Only do this if input is trusted
The above `load()` expressions all have `load_all()` counterparts.
You can get the original unsafe behavior with:
* `yaml.unsafe_load(input)`
* `yaml.load(input, Loader=yaml.UnsafeLoader)`
In a future release, `yaml.load(input)` will raise an exception.
The new loader called FullLoader is almost entirely complete as
Loader/UnsafeLoader but it does it avoids all known code execution
paths. It is the preferred YAML loader, and the current default for
`yaml.load(input)` when you get the warning.
Here are some of the exploits that can be triggered with UnsafeLoader
but not with FullLoader:
```
python -c 'import os, yaml; yaml.full_load("!!python/object/new:os.system [echo EXPLOIT!]")'`
python -c 'import yaml; print yaml.full_load("!!python/object/new:abs [-5]")'
python -c 'import yaml; yaml.full_load("!!python/object/new:eval [exit(5)]")' ; echo $?
python -c 'import yaml; yaml.full_load("!!python/object/new:exit [5]")' ; echo $?
2019-02-17 19:22:58 -08:00
|
|
|
value2 = yaml.load(output1, yaml.FullLoader)
|
2018-06-29 10:04:58 -07:00
|
|
|
output2 = yaml.dump(value2)
|
2015-04-04 13:25:24 -03:00
|
|
|
assert output1 == output2, (output1, output2)
|
|
|
|
|
finally:
|
|
|
|
|
if verbose:
|
|
|
|
|
#print "VALUE1:", value1
|
|
|
|
|
#print "VALUE2:", value2
|
|
|
|
|
print "OUTPUT1:"
|
|
|
|
|
print output1
|
|
|
|
|
print "OUTPUT2:"
|
|
|
|
|
print output2
|
|
|
|
|
|
|
|
|
|
test_recursive.unittest = ['.recursive']
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
import test_appliance
|
|
|
|
|
test_appliance.run(globals())
|
2018-06-29 10:04:58 -07:00
|
|
|
|