Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yaml.load() without Loader=... is deprecated #462

Closed
Hogfeldt opened this issue Mar 15, 2019 · 10 comments · Fixed by #466
Closed

yaml.load() without Loader=... is deprecated #462

Hogfeldt opened this issue Mar 15, 2019 · 10 comments · Fixed by #466

Comments

@Hogfeldt
Copy link
Contributor

Hogfeldt commented Mar 15, 2019
edited
Loading

When running bioconda-utils build I get a lot of warnings regarding calling yaml.load() without specifying the Loader = ... parameter. Here is an example of the warning:

/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/utils.py:965: 
YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
  config = yaml.load(open(config))

The link (https://msg.pyyaml.org/load) explains how the team behind PyYAML has decided to deal with an exploit allowing arbitrary python functions to be called via yaml.load().

I'm not sure if my next problem is related to the above mentioned warnings, but when i get to 16:10:01 BIOCONDA INFO Determining expected packages, an error occur and the program stops running. Below is the error message:

Traceback (most recent call last):
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/bin/bioconda-utils", line 10, in <module>
    sys.exit(main())
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/cli.py", line 662, in main
    bioconductor_skeleton, pypi_check, clean_cran_skeleton,
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/argh/dispatching.py", line 328, in dispatch_commands
    dispatch(parser, *args, **kwargs)
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/argh/dispatching.py", line 174, in dispatch
    for line in lines:
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/argh/dispatching.py", line 277, in _execute_command
    for line in result:
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/argh/dispatching.py", line 260, in _call
    result = function(*positional, **keywords)
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/cli.py", line 426, in build
    label=label,
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/build.py", line 407, in build_recipes
    force=force)
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/utils.py", line 882, in get_package_paths
    if check_recipe_skippable(recipe, channel_packages, force):
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/utils.py", line 837, in check_recipe_skippable
    platform, metas = _load_platform_metas(recipe, finalize=False)
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/utils.py", line 812, in _load_platform_metas
    return platform, load_all_meta(recipe, config=config, finalize=finalize)
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/bioconda_utils/utils.py", line 172, in load_all_meta
    bypass_env_check=bypass_env_check,
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/conda_build/api.py", line 31, in render
    return render_recipe(recipe_path, no_download_source=config.no_download_source, config=config)
  File "/home/fuan/miniconda3/envs/bioconda_recipe_gen/lib/python3.6/site-packages/conda_build/render.py", line 158, in render_recipe
    raise ValueError("no_download_source specified, but can't fully render recipe without"
ValueError: no_download_source specified, but can't fully render recipe without downloading source.  Please fix the recipe, or don't use no_download_source.

When looking around for a solution to the above problem, I stumbled upon this conda-build issue (https://github.com/conda/conda-build/issues/3256) which looks similar to my problem, but i don't have hg_ anywhere in my recipe.

My setup is a conda environment with python3.6 and bioconda-utils installed.

Has anyone seen this problem before? or can point me in a direction for a solution?
@dpryan79
Copy link
Contributor

I get the YAMLLoadWarning warnings too, they're unrelated. What version of bioconda-utils are you using and what's the exact command you're using?

@Hogfeldt
Copy link
Contributor Author

I'm running bioconda-utils version 0.15.3 and i'm running the following command:

bioconda-utils build recipes/ config.yml \
--packages kallisto

I have tried to run the above command on other packages as well and on a package which is not in bioconda-recipes, but I have copied into bioconda-recipes/recipes, every time I get a similar error.

@dpryan79
Copy link
Contributor

Please upgrade to 0.15.10.

@Hogfeldt
Copy link
Contributor Author

Thank you that solved my problem, seems like conda wouldn't automatically give me the latest version, it helped when i specified the exact version I wanted and got 0.15.10.

@epruesse
Copy link
Member

Still - should change

yaml.load(input)

to

yaml.safe_load(input)

in the placges where yaml is pyyaml

@Hogfeldt Hogfeldt mentioned this issue Mar 19, 2019
Closed
@Hogfeldt
Copy link
Contributor Author

I took al look at the code and tried to change all the occurrences of yaml.load(input) to yaml.safe_load(input). Then i ran all the tests, which seems to pass.
Since i don't know how well the tests covers the code, I haven't made a pull request.
Can i assume that if the tests passes, the changes should be alright? And should I commit my changes and make a pull request?

@dpryan79
Copy link
Contributor

Please do!

Hogfeldt pushed a commit to Hogfeldt/bioconda-utils that referenced this issue Mar 19, 2019
Changed the use of 'yaml.load(input)' to 'yaml.safe_load(input)':
0a8a7b8 
The use of yaml.load(input) is depricated, because of an security exploite see:
https://msg.pyyaml.org/load

All use of 'yaml.load(input) has been changed to 'yaml.safe_load(input)', all tests seems to pass.

Fixes bioconda#462
@Hogfeldt Hogfeldt mentioned this issue Mar 19, 2019
Merged
epruesse pushed a commit that referenced this issue Mar 19, 2019
@Hogfeldt @epruesse
Merge pull request #466: replace yaml.load with yaml.safe_load
53af62e 
The use of yaml.load(input) is deprecated, because of an security exploit see:
https://msg.pyyaml.org/load

All use of 'yaml.load(input) has been changed to 'yaml.safe_load(input)', all tests seems to pass.

Fixes #462
@epruesse
Copy link
Member

Thanks @Hogfeldt!

@fst23
Copy link

fst23 commented Feb 17, 2020

Recently I'm trying to learn how to use GAZEBO platform. I'm following tutorials etc. One of those consists in controlling a sensor through ROS, but I got the following warning:

/opt/ros/melodic/lib/python2.7/dist-packages/rostopic/init.py:1782: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
pub_args.append(yaml.load(arg))

How can I fix it?
Thanks in advance

@ghost
Copy link

ghost commented Oct 22, 2020

@fst23

Simplest answer (evidently the "unsafe" way to load an yaml from the internet over a plaintext protocol (at all) let alone without sanitizing it): yaml.load(input, Loader=yaml.FullLoader)

I was almost compelled to read the FULL documentation for this deserialmarshalizer parser smasher splitter loader but the message at least for me hit close enough to home.

   conf  =  Y.load(                                                                                                                                                                 
                      open('conf.yml'),                                                                                                                                                            
                      Loader = Y.FullLoader                                                                                                                                                        
                  ).get('bot')

@romanhaa romanhaa mentioned this issue Nov 30, 2020
Closed
@avatar-lavventura avatar-lavventura mentioned this issue Dec 14, 2020
Merged
wkentaro pushed a commit to wkentaro/gshell that referenced this issue Dec 15, 2020
@avatar-lavventura @wkentaro
Update __init__.py
95ca14a 
Fixed  `YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
  return yaml.load(open(CONFIG_FILE)) ` warning message.

Changed `yaml.load() => yaml.safe_load` . Ref: bioconda/bioconda-utils#462 (comment)
@bvernoux bvernoux mentioned this issue Oct 3, 2021
Closed
@knaaptime knaaptime mentioned this issue Oct 17, 2021
Closed
@JeppeJonHolt JeppeJonHolt mentioned this issue Oct 21, 2021
Open
@kltm kltm mentioned this issue Oct 22, 2021
Closed
@Surya-Abhinai Surya-Abhinai mentioned this issue Jul 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Changed the use of 'yaml.load(input)' to 'yaml.safe_load(input)': Hogfeldt/bioconda-utils
4 participants
@epruesse @dpryan79 @Hogfeldt @fst23