fix(yaml_serializer): use yaml.SafeLoader

yaml.Loader allows for remote execution of arbitrary Python code during deserialization, which is a security risk. Using SafeLoader prevents that. Also updating unit tests for new changes since last release (new major version with test client changes for aiohttp)
toumorokoshi · Sep 24, 2023 · 2d1da94 · 2d1da94
1 parent ff118e0
commit 2d1da94
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 6 deletions.
diff --git a/setup.cfg b/setup.cfg
@@ -27,7 +27,7 @@ install_requires =
 
 [options.extras_require]
 test =
-    aiohttp; python_version > '3'
+    aiohttp>=3.0; python_version > '3'
     babel
     flask
     mock

diff --git a/transmute_core/contenttype_serializers/yaml_serializer.py b/transmute_core/contenttype_serializers/yaml_serializer.py
@@ -27,7 +27,7 @@ def load(raw_bytes):
         structure that represents the object.
         """
         try:
-            return yaml.load(raw_bytes, Loader=yaml.Loader)
+            return yaml.load(raw_bytes, Loader=yaml.SafeLoader)
         except yaml.scanner.ScannerError as e:
             raise SerializationException(str(e))
 

diff --git a/transmute_core/object_serializers/cattrs_serializer/__init__.py b/transmute_core/object_serializers/cattrs_serializer/__init__.py
@@ -2,6 +2,7 @@
 from jsonschema_extractor import init_default_extractor
 from .converter import create_cattrs_converter
 from ...exceptions import SerializationException
+from cattrs.errors import ClassValidationError
 
 
 class CattrsSerializer(ObjectSerializer):
@@ -36,7 +37,7 @@ def load(self, model, value):
         """
         try:
             return self._cattrs_converter.structure(value, model)
-        except (ValueError, TypeError) as e:
+        except (ValueError, TypeError, ClassValidationError) as e:
             raise SerializationException(str(e))
 
     def dump(self, model, value):

diff --git a/transmute_core/object_serializers/cattrs_serializer/converter.py b/transmute_core/object_serializers/cattrs_serializer/converter.py
@@ -1,5 +1,5 @@
 # from .cattrs_extended_converter import ExtendedConverter
-from cattr import Converter
+from cattrs import Converter
 from datetime import datetime
 from ...compat import string_type
 from schematics.models import Model

diff --git a/transmute_core/tests/frameworks/test_aiohttp/conftest.py b/transmute_core/tests/frameworks/test_aiohttp/conftest.py
@@ -16,5 +16,5 @@ def app(loop):
 
 
 @pytest.fixture
-def cli(app, loop, test_client):
-    return loop.run_until_complete(test_client(app))
+def cli(app, loop, aiohttp_client):
+    return loop.run_until_complete(aiohttp_client(app))
-Original file line number
+Diff line change
@@ Expand Up / @@ -27,7 +27,7 @@ install_requires = @@
     [options.extras_require]
     test =
-        aiohttp; python_version > '3'
+        aiohttp>=3.0; python_version > '3'
         babel
         flask
         mock
@@ Expand Down @@