From 97ef57e3074bdca92a6ede6271b8c912a32e26d4 Mon Sep 17 00:00:00 2001 From: Daniel Grossmann-Kavanagh Date: Fri, 15 Mar 2019 21:29:34 +1100 Subject: [PATCH 1/2] bump PyYAML to 5.1 for CVE-2017-18342 --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index ff805bd..eb0b987 100644 --- a/setup.py +++ b/setup.py @@ -69,7 +69,7 @@ def run_tests(self): }, install_requires=[ "jsonschema<3", - "PyYAML>=3.13", + "PyYAML>=5.1", "six", 'pathlib2;python_version=="2.7"', ], From f21bd0e2f78ecc97d1eb6d2cc5c22de0f70b0968 Mon Sep 17 00:00:00 2001 From: Daniel Grossmann-Kavanagh Date: Fri, 15 Mar 2019 21:43:27 +1100 Subject: [PATCH 2/2] Revert "add security note" This reverts commit dcd0c2a447be43bb06020f76f166438b812e47df. --- README.md | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/README.md b/README.md index d570a36..ef7a9ca 100644 --- a/README.md +++ b/README.md @@ -69,21 +69,6 @@ from openapi_spec_validator import openapi_v3_spec_validator errors_iterator = openapi_v3_spec_validator.iter_errors(spec) ``` -## Security Note - -PyYAML, a requirement of this project, has a -[security vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2017-18342) -in the default implementation of `yaml.load()`, which allows execution -of arbitrary code while loading a target file or stream. OpenAPI Spec -Validator uses a safe loader to ensure that only Python objects -marked as safe can be executed. Thus, you are not exposed to this -vulnerability by using this package. - -If you use `PyYAML` directly, be sure to use `yaml.safe_load()` to -avoid inadvertantly exposing youself to potentially malicous data. The -[PyYAML docs](https://pyyaml.org/wiki/PyYAMLDocumentation#loading-yaml) -describe this issue in detail. - ## Related projects * [openapi-core](https://github.com/p1c2u/openapi-core) is a Python library that adds client-side and server-side support for the OpenAPI.