Address security bug in yaml loading#175
Merged
dirk-thomas merged 2 commits intoros2:masterfrom Aug 28, 2020
Merged
Conversation
Curate bug similar to ros/actionlib#171. Connected with aliasrobotics/RVD#2401. Signed-off-by: Víctor Mayoral Vilches <v.mayoralv@gmail.com>
dirk-thomas
reviewed
Aug 28, 2020
| assert is_file | ||
| with open(file_path, 'r') as h: | ||
| expanded_parameters_dict = yaml.load(h, Loader=yaml.FullLoader) | ||
| expanded_parameters_dict = yaml.safe_load(h, Loader=yaml.FullLoader) |
Member
There was a problem hiding this comment.
This change currently fails CI:
TypeError: safe_load() got an unexpected keyword argument 'Loader'
Member
There was a problem hiding this comment.
Since CI (https://ci.ros2.org/view/All/job/test_ci_linux/42/pytest-warnings-with-location/) only marks the first case as a warning I went ahead and reverted the second change in ef54e1c.
Signed-off-by: Dirk Thomas <dirk-thomas@users.noreply.github.com>
dirk-thomas
approved these changes
Aug 28, 2020
mjcarroll
approved these changes
Aug 28, 2020
Member
|
@vmayoral I will go ahead and merge the reduced patch for now since it resolves a warning shown in the CI output. If you still think the reverted case needs to be changed please create a follow up pull request. Thanks. |
jacobperron
pushed a commit
that referenced
this pull request
Oct 26, 2021
* Address security bug in yaml loading Curate bug similar to ros/actionlib#171. Connected with aliasrobotics/RVD#2401. Signed-off-by: Víctor Mayoral Vilches <v.mayoralv@gmail.com> * revert one of the changes Signed-off-by: Dirk Thomas <dirk-thomas@users.noreply.github.com> Co-authored-by: Dirk Thomas <dirk-thomas@users.noreply.github.com>
jacobperron
pushed a commit
that referenced
this pull request
Nov 16, 2021
* Address security bug in yaml loading Curate bug similar to ros/actionlib#171. Connected with aliasrobotics/RVD#2401. Signed-off-by: Víctor Mayoral Vilches <v.mayoralv@gmail.com> * revert one of the changes Signed-off-by: Dirk Thomas <dirk-thomas@users.noreply.github.com> Co-authored-by: Dirk Thomas <dirk-thomas@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Though testing code, still worth curating the bug.
Similar to ros/actionlib#171 and connected
with aliasrobotics/RVD#2401.