From 3847688ab75a052277ff23f4a2421c0d07ceb43f Mon Sep 17 00:00:00 2001 From: Daniel Bengtsson Date: Wed, 12 Feb 2020 12:36:01 +0100 Subject: [PATCH] Remove the yamlutils module. The pyyaml is now safe by default: https://github.com/yaml/pyyaml/pull/74/files https://access.redhat.com/security/cve/CVE-2017-18342 https://github.com/search?q=oslo.serialization+yamlutils+user%3Aopenstack+language%3APython&type=Code So the yamlutils is now useless. No project in OpenStack used this module. We can remove it. Sem-Ver: api-break Change-Id: If0a98f1e15d83131cb309e02f892372f353fa5da --- lower-constraints.txt | 1 - oslo_serialization/tests/test_yamlutils.py | 87 ----------------- oslo_serialization/yamlutils.py | 93 ------------------- .../remove-yamlutils-94c921247ab33003.yaml | 3 + requirements.txt | 2 - 5 files changed, 3 insertions(+), 183 deletions(-) delete mode 100644 oslo_serialization/tests/test_yamlutils.py delete mode 100644 oslo_serialization/yamlutils.py create mode 100644 releasenotes/notes/remove-yamlutils-94c921247ab33003.yaml diff --git a/lower-constraints.txt b/lower-constraints.txt index 22c8304..107c82e 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -24,7 +24,6 @@ pyparsing==2.1.0 python-mimeparse==1.6.0 python-subunit==1.0.0 pytz==2013.6 -PyYAML==3.12 requests==2.14.2 requestsexceptions==1.2.0 smmap==0.9.0 diff --git a/oslo_serialization/tests/test_yamlutils.py b/oslo_serialization/tests/test_yamlutils.py deleted file mode 100644 index 4ba72b3..0000000 --- a/oslo_serialization/tests/test_yamlutils.py +++ /dev/null @@ -1,87 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import os -import tempfile -import textwrap -import uuid - -from oslotest import base - -from oslo_serialization import yamlutils as yaml - - -class BehaviorTestCase(base.BaseTestCase): - - def test_loading(self): - payload = textwrap.dedent(''' - - foo: bar - - list: - - [one, two] - - {check: yaml, in: test} - ''') - expected = [ - {'foo': 'bar'}, - {'list': None}, - ['one', 'two'], - {'check': 'yaml', 'in': 'test'} - ] - loaded = yaml.load(payload) - self.assertEqual(loaded, expected) - - def test_loading_with_unsafe(self): - payload = textwrap.dedent(''' - !!python/object/apply:os.system ['echo "hello"'] - ''') - loaded = yaml.load(payload, is_safe=False) - expected = 0 - self.assertEqual(loaded, expected) - - def test_dumps(self): - payload = [ - {'foo': 'bar'}, - {'list': None}, - ['one', 'two'], - {'check': 'yaml', 'in': 'test'} - ] - dumped = yaml.dumps(payload) - expected = textwrap.dedent('''\ - - foo: bar - - list: null - - - one - - two - - check: yaml - in: test - ''') - self.assertEqual(dumped, expected) - - def test_dump(self): - payload = [ - {'foo': 'bar'}, - {'list': None}, - ['one', 'two'], - {'check': 'yaml', 'in': 'test'} - ] - tmpfile = os.path.join(tempfile.gettempdir(), str(uuid.uuid4())) - with open(tmpfile, 'w+') as fp: - yaml.dump(payload, fp) - with open(tmpfile, 'r') as fp: - file_content = fp.read() - expected = textwrap.dedent('''\ - - foo: bar - - list: null - - - one - - two - - check: yaml - in: test - ''') - self.assertEqual(file_content, expected) diff --git a/oslo_serialization/yamlutils.py b/oslo_serialization/yamlutils.py deleted file mode 100644 index d540164..0000000 --- a/oslo_serialization/yamlutils.py +++ /dev/null @@ -1,93 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -"""YAML related utilities. - -The main goal of this module is to standardize yaml management inside -openstack. This module reduce technical debt by avoiding re-implementations -of yaml manager in all the openstack projects. -Use this module inside openstack projects to handle yaml securely and properly. -""" - -from debtcollector import removals -import yaml - - -removals.removed_module( - 'oslo_serialization.yamlutils', version='3.0.0', - removal_version='4.0.0', - message='The oslo_serialization.yamlutils will be removed') - - -def load(stream, is_safe=True): - """Converts a YAML document to a Python object. - - :param stream: the YAML document to convert into a Python object. Accepts - a byte string, a Unicode string, an open binary file object, - or an open text file object. - :param is_safe: Turn off safe loading. True by default and only load - standard YAML. This option can be turned off by - passing ``is_safe=False`` if you need to load not only - standard YAML tags or if you need to construct an - arbitrary python object. - - Stream specifications: - - * An empty stream contains no documents. - * Documents are separated with ``---``. - * Documents may optionally end with ``...``. - * A single document may or may not be marked with ``---``. - - Parses the given stream and returns a Python object constructed - from the first document in the stream. If there are no documents - in the stream, it returns None. - """ - yaml_loader = yaml.Loader - if is_safe: - if hasattr(yaml, 'CSafeLoader'): - yaml_loader = yaml.CSafeLoader - else: - yaml_loader = yaml.SafeLoader - return yaml.load(stream, yaml_loader) # nosec B506 - - -def dumps(obj, is_safe=True): - """Converts a Python object to a YAML document. - - :param obj: python object to convert into YAML representation. - :param is_safe: Turn off safe dumping. - - Serializes the given Python object to a string and returns that string. - """ - yaml_dumper = yaml.Dumper - if is_safe: - if hasattr(yaml, 'CSafeDumper'): - yaml_dumper = yaml.CSafeDumper - else: - yaml_dumper = yaml.SafeDumper - return yaml.dump(obj, default_flow_style=False, Dumper=yaml_dumper) - - -def dump(obj, fp, is_safe=True): - """Converts a Python object as a YAML document to ``fp``. - - :param obj: python object to convert into YAML representation. - :param fp: a ``.write()``-supporting file-like object - :param is_safe: Turn off safe dumping. - """ - yaml_dumper = yaml.Dumper - if is_safe: - if hasattr(yaml, 'CSafeDumper'): - yaml_dumper = yaml.CSafeDumper - else: - yaml_dumper = yaml.SafeDumper - return yaml.dump(obj, fp, default_flow_style=False, Dumper=yaml_dumper) diff --git a/releasenotes/notes/remove-yamlutils-94c921247ab33003.yaml b/releasenotes/notes/remove-yamlutils-94c921247ab33003.yaml new file mode 100644 index 0000000..9983b8e --- /dev/null +++ b/releasenotes/notes/remove-yamlutils-94c921247ab33003.yaml @@ -0,0 +1,3 @@ +--- +other: + - Remove the yamlutils, the pyyaml is now safe by default. diff --git a/requirements.txt b/requirements.txt index 9a3a7f1..d8c62c4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,5 +11,3 @@ pbr!=2.1.0,>=2.0.0 # Apache-2.0 msgpack>=0.5.2 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0 pytz>=2013.6 # MIT -PyYAML>=3.12 # MIT -debtcollector>=1.2.0 # Apache-2.0