From 53af62e009b414b5595a1e3c21eda653a19674a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Per=20H=C3=B8gfeldt?= <hogfeldt38@gmail.com>
Date: Tue, 19 Mar 2019 20:08:46 +0100
Subject: [PATCH] Merge pull request #466: replace yaml.load with
 yaml.safe_load

The use of yaml.load(input) is deprecated, because of an security exploit see:
https://msg.pyyaml.org/load

All use of 'yaml.load(input) has been changed to 'yaml.safe_load(input)', all tests seems to pass.

Fixes #462
---
 bioconda_utils/update.py |  2 +-
 bioconda_utils/utils.py  | 14 +++++++-------
 test/helpers.py          |  4 ++--
 test/test_hosters.py     |  2 +-
 test/test_utils.py       |  2 +-
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/bioconda_utils/update.py b/bioconda_utils/update.py
index 269c5af7c0..bac36ff0e1 100644
--- a/bioconda_utils/update.py
+++ b/bioconda_utils/update.py
@@ -218,7 +218,7 @@ class Blacklisted(EndProcessingItem):
     def __init__(self, scanner, config_fn: str) -> None:
         super().__init__(scanner)
         with open(config_fn, "r") as config_fdes:
-            config = yaml.load(config_fdes)
+            config = yaml.safe_load(config_fdes)
         blacklists = [os.path.join(os.path.dirname(config_fn), bl)
                       for bl in config['blacklists']]
         self.blacklisted = utils.get_blacklist(blacklists, scanner.recipe_folder)
diff --git a/bioconda_utils/utils.py b/bioconda_utils/utils.py
index defcac9620..83ff4fa8d8 100644
--- a/bioconda_utils/utils.py
+++ b/bioconda_utils/utils.py
@@ -309,7 +309,7 @@ def load_meta_fast(recipe: str, env=None):
     try:
         pth = os.path.join(recipe, 'meta.yaml')
         template = jinja_silent_undef.from_string(open(pth, 'r', encoding='utf-8').read())
-        meta = yaml.load(template.render(env))
+        meta = yaml.safe_load(template.render(env))
         return (meta, recipe)
     except Exception:
         raise ValueError('Problem inspecting {0}'.format(recipe))
@@ -473,7 +473,7 @@ def __init__(self, env):
         """
         if isinstance(env, str):
             with open(env) as f:
-                self.env = yaml.load(f)
+                self.env = yaml.safe_load(f)
         else:
             self.env = env
         for key, val in self.env.items():
@@ -738,14 +738,14 @@ def newly_unblacklisted(config_file, recipe_folder, git_range):
     # config file and then all the original blacklists it had listed
     previous = set()
     orig_config = file_from_commit(git_range[0], config_file)
-    for bl in yaml.load(orig_config)['blacklists']:
+    for bl in yaml.safe_load(orig_config)['blacklists']:
         with open('.tmp.blacklist', 'w', encoding='utf8') as fout:
             fout.write(file_from_commit(git_range[0], bl))
         previous.update(get_blacklist(['.tmp.blacklist'], recipe_folder))
         os.unlink('.tmp.blacklist')
 
     current = get_blacklist(
-        yaml.load(
+        yaml.safe_load(
             file_from_commit(git_range[1], config_file))['blacklists'],
         recipe_folder)
     results = previous.difference(current)
@@ -915,11 +915,11 @@ def validate_config(config):
         directly.
     """
     if not isinstance(config, dict):
-        config = yaml.load(open(config))
+        config = yaml.safe_load(open(config))
     fn = pkg_resources.resource_filename(
         'bioconda_utils', 'config.schema.yaml'
     )
-    schema = yaml.load(open(fn))
+    schema = yaml.safe_load(open(fn))
     validate(config, schema)
 
 
@@ -941,7 +941,7 @@ def relpath(p):
     else:
         def relpath(p):
             return os.path.join(os.path.dirname(path), p)
-        config = yaml.load(open(path))
+        config = yaml.safe_load(open(path))
 
     def get_list(key):
         # always return empty list, also if NoneType is defined in yaml
diff --git a/test/helpers.py b/test/helpers.py
index bac61b46fc..b22ceba80a 100644
--- a/test/helpers.py
+++ b/test/helpers.py
@@ -92,10 +92,10 @@ def __init__(self, data, from_string=False):
 
         if from_string:
             self.data = dedent(data)
-            self.recipes = yaml.load(data)
+            self.recipes = yaml.safe_load(data)
         else:
             self.data = os.path.join(os.path.dirname(__file__), data)
-            self.recipes = yaml.load(open(self.data))
+            self.recipes = yaml.safe_load(open(self.data))
 
     def write_recipes(self):
         basedir = tempfile.mkdtemp()
diff --git a/test/test_hosters.py b/test/test_hosters.py
index e722b2a8ae..d747d52398 100644
--- a/test/test_hosters.py
+++ b/test/test_hosters.py
@@ -9,7 +9,7 @@
 
 
 with open(op.join(op.dirname(__file__), "hoster_cases.yaml")) as data:
-    TEST_CASES = yaml.load(data)
+    TEST_CASES = yaml.safe_load(data)
 
 
 TEST_CASE_LIST = [
diff --git a/test/test_utils.py b/test/test_utils.py
index c28ec9a857..59c8cb2696 100644
--- a/test/test_utils.py
+++ b/test/test_utils.py
@@ -592,7 +592,7 @@ def test_rendering_sandboxing():
             tmp = tempfile.mkdtemp()
             target = 'info/recipe/meta.yaml'
             t.extract(target, path=tmp)
-            contents = yaml.load(open(os.path.join(tmp, target)).read())
+            contents = yaml.safe_load(open(os.path.join(tmp, target)).read())
             assert contents['extra']['var2'] == 'conda-val-here', contents