Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Kris Bosland commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load Merged to master at 1a63db1 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Josh Cooper Release Notes Summary: Puppet now uses YAML.safe_load consistently to ensure only known classes are loaded. Release Notes: Bug Fix Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Jayant Sane commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load You are right - I too was indicating MarshalLoad has been implicitly enabled and hence had mistakenly wondered about cipher_test-v3.rb. My bad on cipher_test-v3.rb - for some reason these had ended up in my local puppet repo which I forgot to do a git status on. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load AFAICT Security/MarshalLoad is included in the current .rubocop.yml configuration (for puppet not sure about other repos). I didn't see cipher_test-v3.rb is that a PE acceptance thing? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Jayant Sane commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load Wonder if we need to either disable Marshal.Load cop/rule or exclude cipher_test-v3.rb file (two instances that are not under any of the excluded folders) Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Josh Cooper Team: Platform Core Coremunity Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper assigned an issue to Josh Cooper Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Josh Cooper Assignee: Thomas Hallgren Josh Cooper Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load See last PR comments. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper assigned an issue to Thomas Hallgren Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Josh Cooper Assignee: Josh Cooper Thomas Hallgren Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Josh Cooper Sprint: Language Triage Platform Core KANBAN Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load Now that we have a 6.0 branch (master), I'd prefer to land this PR there instead of 5.y. LGTM. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Josh Cooper Fix Version/s: PUP 6.0.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Henrik Lindberg commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load Josh Cooper What is left to do here? - The questions raised by you on the PR have been answered from what I can see. Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title
Josh Cooper updated an issue
Puppet / PUP-7834
Change all calls to YAML.load into YAML.safe_load
Change By:
Josh Cooper
Acceptance Criteria:
That rubocop can run clean on the puppet source with {{Security/YAMLLoad}} and {{Security/JSONLoad}} enabled.
Now, when all serialization of YAML data is ensured to be {{Data}}, we must also ensure that no unsafe data can be loaded using YAML. Psych provides the method {{YAML.safe_load}} to accomplish this.We do have some places were we still load objects that are not {{Data}} for backward compatibility causes. We allow {{Symbol}} keys in hiera in some places and we provide a YAML-specificit tag for {{Puppet::Node::Facts}} to make it directly deserializable into instances of that class. Such exceptions can (and should) be declared specifically as arguments to {{YAML.safe_load}}. Also need to review JSON.load
Add Comment
This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-b
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Thomas Hallgren assigned an issue to Josh Cooper Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Thomas Hallgren Assignee: Thomas Hallgren Josh Cooper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Thomas Hallgren assigned an issue to Thomas Hallgren Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Change By: Thomas Hallgren Assignee: Thomas Hallgren Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Thomas Hallgren created an issue Puppet / PUP-7834 Change all calls to YAML.load into YAML.safe_load Issue Type: Improvement Assignee: Unassigned Created: 2017/08/11 3:40 AM Priority: Normal Reporter: Thomas Hallgren Now, when all serialization of YAML data is ensured to be Data, we must also ensure that no unsafe data can be loaded using YAML. Psych provides the method YAML.safe_load to accomplish this. We do have some places were we still load objects that are not Data for backward compatibility causes. We allow Symbol keys in hiera in some places and we provide a YAML-specificit tag for Puppet::Node::Facts to make it directly deserializable into instances of that class. Such exceptions can (and should) be declared specifically as arguments to YAML.safe_load. Add Comment
