Deprecation Warning about yaml.load()

Question

Deprecation Warning about yaml.load()

Closed this issue 3 years ago · 4 comments

Distribution: ubuntu 20.04
installed via apt
version: policyd-rate-limit_1.0.0-1_all.deb

policyd-rate-limit ist throwing a warning:

 /usr/lib/python3/dist-packages/policyd_rate_limit/utils.py:88: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
  self._config = yaml.load(f)

Answer 1 · 2020-11-07T13:20:29.000Z

@nitmir a preference between Loader=FullLoader or Loader=SafeLoader ?

Answer 2 · 2020-11-07T16:06:12.000Z

I'll say FullLoader.
It's should not be a security issue as we do not load user crafted yaml (only the config wrotten by the admin), and it do not change the current behavior in case someone load some python structure.

I, personally, do not use python extended yaml, so SafeLoader will also work with my config. What do you think ?

Answer 3 · 2020-11-07T16:55:16.000Z

From my point of view I think what's not needed doesn't need to be loaded... so if SaveLoader is enough, I'd prefer that - just my 2 cents

Answer 4 · 2020-11-09T13:08:10.000Z

Let's go for a SafeLoader then. :)