fixes #33: PyYAML CVE fixed, using the safe FullLoader

See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
2019-03-21 12:59:40 +03:00 · 2019-03-21 12:59:40 +03:00 · c65c64acff
parent 29ed7ab4ad
commit c65c64acff
8 changed files with 59 additions and 21 deletions
--- a/.python-version
+++ b/.python-version
@ -0,0 +1,6 @@
+j2cli
+2.7.16
+3.4.9
+3.5.6
+3.6.8
+3.7.2
--- a/.travis.yml
+++ b/.travis.yml
@ -4,23 +4,25 @@ language: python

 matrix:
  include:
-    - python: 2.6
-      env: TOXENV=py
    - python: 2.7
-      env: TOXENV=py
+      env: TOXENV=py27
    - python: 3.4
-      env: TOXENV=py
+      env: TOXENV=py34
    - python: 3.5
-      env: TOXENV=py
+      env: TOXENV=py35
    - python: 3.6
-      env: TOXENV=py
+      env: TOXENV=py36
    - python: 3.7-dev
-      env: TOXENV=py
+      env: TOXENV=py37
    - python: pypy
-      env: TOXENV=py
+      env: TOXENV=pypy
    - python: pypy3
-      env: TOXENV=py
-
+      env: TOXENV=pypy
+    - {python: 3.6, env: TOXENV=py36-pyyaml5.1}
+    - {python: 3.6, env: TOXENV=py36-pyyaml3.13}
+    - {python: 3.6, env: TOXENV=py36-pyyaml3.12}
+    - {python: 3.6, env: TOXENV=py36-pyyaml3.11}
+    - {python: 3.6, env: TOXENV=py36-pyyaml3.10}
 install:
  - pip install tox
 cache:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,9 @@
+## 0.3.6 (2019-03-21)
+* Fixed support for Python 2.6
+* Dropped Python 2.6 from unit-tests
+* Fixed a warning issued by PyYAML. 
+  See [issue #33](https://github.com/kolypto/j2cli/issues/33)
+
 ## 0.3.5 (2019-01-03)
 * New option: `--undefined` that allows undefined variables
 * Fix: unicode support in environment variables
--- a/6
+++ b/6
@ -7,7 +7,7 @@ SHELL := /bin/bash
 clean:
 	@rm -rf build/ dist/ *.egg-info/ README.md README.rst
 	@pip install -e .  # have to reinstall because we are using self
-README.md: $(shell find misc/ j2cli/)
+README.md: $(shell find j2cli/) $(wildcard misc/_doc/**)
 	@python misc/_doc/README.py | python j2cli/__init__.py -f json -o $@ misc/_doc/README.md.j2
 README.rst: README.md
 	@pandoc -f markdown -t rst -o README.rst README.md
@ -27,7 +27,3 @@ test:
 	@nosetests
 test-tox:
 	@tox
-test-docker:
-	@docker run --rm -it -v `pwd`:/src themattrix/tox
-test-docker-2.6: # temporary, since `themattrix/tox` has faulty 2.6
-	@docker run --rm -it -v $(realpath .):/app mrupgrade/deadsnakes:2.6 bash -c 'cd /app && pip install -e . && pip install nose argparse && nosetests'
--- a/j2cli/context.py
+++ b/j2cli/context.py
@ -85,7 +85,15 @@ def _parse_yaml(data_string):
        $ j2 config.j2 data.yml
        $ cat data.yml | j2 --format=yaml config.j2
    """
-    return yaml.load(data_string)
+    # Loader
+    try:
+        # PyYAML 5.1 supports FullLoader
+        Loader = yaml.FullLoader
+    except AttributeError:
+        # Have to use SafeLoader for older versions
+        Loader = yaml.SafeLoader
+    # Done
+    return yaml.load(data_string, Loader=Loader)

 def _parse_env(data_string):
    """ Data input from environment variables.
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@ -1,4 +1,3 @@
 wheel
 nose
 exdoc
-pyyaml
--- a/setup.py
+++ b/setup.py
@ -15,10 +15,18 @@ Inspired by [mattrobenolt/jinja2-cli](https://github.com/mattrobenolt/jinja2-cli
 """

 from setuptools import setup, find_packages
+import sys
+
+# PyYAML 3.11 was the last to support Python 2.6
+# This code limits pyyaml version for older pythons
+pyyaml_version = 'pyyaml >= 3.10'  # fresh
+if sys.version_info[:2] == (2, 6) or True:
+    pyyaml_version = 'pyyaml<=3.11'
+

 setup(
    name='j2cli',
-    version='0.3.5-1',
+    version='0.3.6-1',
    author='Mark Vartanyan',
    author_email='kolypto@gmail.com',

@ -41,7 +49,7 @@ setup(
        'jinja2 >= 2.7.2',
    ],
    extras_require={
-        'yaml': ['pyyaml',]
+        'yaml': [pyyaml_version,]
    },
    include_package_data=True,
    zip_safe=False,
--- a/tox.ini
+++ b/tox.ini
@ -1,9 +1,22 @@
 [tox]
-envlist=py{26,27,34,35,36,37},pypy
+envlist=py{27,34,35,36,37},pypy,
+    py36-pyyaml5.1
+    py36-pyyaml3.13
+    py36-pyyaml3.12
+    py36-pyyaml3.11
+    py36-pyyaml3.10
 skip_missing_interpreters=True

 [testenv]
-deps=-rrequirements-dev.txt
+deps=
+    -rrequirements-dev.txt
+    py{27,34,35,36},pypy: -e.[yaml]
+    py37: pyyaml
+    py36-pyyaml5.1: pyyaml==5.1
+    py36-pyyaml3.13: pyyaml==3.13
+    py36-pyyaml3.12: pyyaml==3.12
+    py36-pyyaml3.11: pyyaml==3.11
+    py36-pyyaml3.10: pyyaml==3.10
 commands=
    nosetests {posargs:tests/}
 whitelist_externals=make