[securedrop-proxy] Update pyyaml when 4.2 release is available

Question

[securedrop-proxy] Update pyyaml when 4.2 release is available

redshiftzero opened this issue 6 years ago · 1 comments

Description

We got a GitHub security alert regarding a CVE in pyyaml: CVE-2017-18342. The fix, merged in the pyyaml repo, renames safe_load to load and load to danger_load. We're not using safe_load for this project, which we should do in the beta release if pyyaml 4.2 is not ready. This is acceptable for now because:

The only YAML load call in this project is for the proxy config, which is generated via the workstation provisioning code running in dom0.
This project is in alpha stage and is not used in any production environments.

We shouldn't update to latest yet due to the fact that the only 4.2* versions available on PyPI are marked as pre-release - see yaml/pyyaml#193 for the full details.

tl;dr We should wait until pyyaml 4.2 is officially released and then update.

Answer 1 · 2019-01-24T09:49:53.000Z

The fix got reverted. Just make sure you use safe_load() and you will be fine :)