Simone Pelosi has proposed merging ~pelpsi/txpkgupload:fix-yaml-load into
txpkgupload:master.
Commit message:
Use yaml.safe_load instead of yaml.load
The application performs deserialization by invoking the function
'yaml.load()'. By default, this function is vulnerable to deserialization RCE
attacks when handling untrusted input.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
For more details, see:
https://code.launchpad.net/~pelpsi/txpkgupload/+git/txpkgupload/+merge/487666
--
Your team Launchpad code reviewers is requested to review the proposed merge of
~pelpsi/txpkgupload:fix-yaml-load into txpkgupload:master.
diff --git a/developing.rst b/developing.rst
new file mode 100644
index 0000000..d7a84c6
--- /dev/null
+++ b/developing.rst
@@ -0,0 +1,44 @@
+How to set up a development environment
+***************************************
+
+First of all, it is recommended that you create an lxc container, since the
+following steps will make changes in your system.
+And since some build types will only work with virtualized containers, creating an
+lxc vm is the best way to go.
+
+You can learn more about LXC and set them up
+here: https://ubuntu.com/server/docs/lxd-containers
+
+
+PS: If you just want to run the test suite, creating a container is
+sufficient.
+
+You can create a VM with the following command:
+
+.. code:: bash
+
+ lxc launch --vm ubuntu:focal txpkgupload
+
+Note that you may want to have a profile to share the source code with the
+container before running the above command.
+
+Next switch into the vm:
+
+.. code:: bash
+
+ lxc shell txpkgupload
+
+Then, inside the container clone the repo and install the necessary dependencies:
+
+.. code:: bash
+
+ git clone https://git.launchpad.net/txpkgupload
+ cd txpkgupload
+ sudo apt install make virtualenv build-essential libssl-dev libffi-dev python3-dev
+ make
+
+This should be enough for you to be able to run the test suite:
+
+.. code:: bash
+
+ make check
diff --git a/src/txpkgupload/plugin.py b/src/txpkgupload/plugin.py
index a1df540..c9287a1 100644
--- a/src/txpkgupload/plugin.py
+++ b/src/txpkgupload/plugin.py
@@ -143,7 +143,7 @@ class Config(Schema):
@classmethod
def parse(cls, stream):
"""Load a YAML configuration from `stream` and validate."""
- return cls.to_python(yaml.load(stream))
+ return cls.to_python(yaml.safe_load(stream))
@classmethod
def load(cls, filename):
diff --git a/src/txpkgupload/tests/test_plugin.py b/src/txpkgupload/tests/test_plugin.py
index 20740d6..13123f9 100644
--- a/src/txpkgupload/tests/test_plugin.py
+++ b/src/txpkgupload/tests/test_plugin.py
@@ -212,12 +212,12 @@ class PkgUploadFixture(DeferringFixture):
top = os.path.join(
os.path.dirname(__file__), os.pardir, os.pardir, os.pardir)
with open(os.path.join(top, "etc", "txpkgupload.yaml")) as stream:
- config = yaml.load(stream)
+ config = yaml.safe_load(stream)
config["access_log"] = os.path.join(
self.root, "txpkgupload-access.log")
if self.extra_config is not None:
deep_update(
- config, yaml.load(io.StringIO(self.extra_config)))
+ config, yaml.safe_load(io.StringIO(self.extra_config)))
# Make some paths absolute to cope with tests running in a different
# working directory.
for key in ("host_key_private", "host_key_public"):
@@ -282,7 +282,7 @@ class FTPServer(DeferringFixture):
top = os.path.join(
os.path.dirname(__file__), os.pardir, os.pardir, os.pardir)
with open(os.path.join(top, "etc", "txpkgupload.yaml")) as stream:
- config = yaml.load(stream)
+ config = yaml.safe_load(stream)
self.port = config["ftp"]["port"]
def _setUp(self):
@@ -419,7 +419,7 @@ class SFTPServer(DeferringFixture):
top = os.path.join(
os.path.dirname(__file__), os.pardir, os.pardir, os.pardir)
with open(os.path.join(top, "etc", "txpkgupload.yaml")) as stream:
- config = yaml.load(stream)
+ config = yaml.safe_load(stream)
self.port = int(config["sftp"]["port"].partition(':')[2])
self.test_private_key = os.path.join(
os.path.dirname(__file__), "txpkgupload-sftp")
_______________________________________________
Mailing list: https://launchpad.net/~launchpad-reviewers
Post to : launchpad-reviewers@lists.launchpad.net
Unsubscribe : https://launchpad.net/~launchpad-reviewers
More help : https://help.launchpad.net/ListHelp
