Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Yaml serializer fails since pyyaml 4.1

See original GitHub issue

Yesterday pyyaml was updated to version 4.1 And now I’m receiving this error: yaml.representer.RepresenterError: ('cannot represent an object', URL('<url>') The problem is in the vcr/serializers/yamlserializer.py file. When the method serialize method is called.

I found this pull request that was pushed in the version 4.1 of pyyaml: https://github.com/yaml/pyyaml/pull/74 where they change the behaviour dump, Dumper, CDumper and the same with the loaders. Before the update this methods were “danger” and now are “safe” then we can change the line in the serializer to the “danger” version because is exactly the same that we use before this update. I’ll try to fix it later.

Issue Analytics

State:
Created 5 years ago
Reactions:6
Comments:10 (3 by maintainers)

Top GitHub Comments

2reactions

lmazuelcommented, Jun 27, 2018

@stefangordon @jbagot found out the problem.

After some investigation, it impacts only files recorded with Python 2.7. Because starting PyYAML 4.x, the methods “load/safe_load” becomes respectively “danger_load/load” (i.e. by default creating Python object from YAML parsing is disabled). In Py 2.7, YAML of VCRPy contains this:

body: {string: !!python/unicode 'stuff'.....

Which will not be parsed anymore by default (since it creates a Python object and is vulnerable to attack).

This means that with PyYAML 3.x series, if a malicious person introduce bad python code in the recordings, each time the recordings are replayed the code is executed (?!?!??). And you see here, this could simple as:

favorite_activity: !!python/object/apply:os.system ['rm *']

I’m not sure if it means that VCRPy is not compatible anymore with Py2.7 if PyYAML is installed, or if this means that PyYAML should be pinned to 3.12 on Py2.7 and >=4.0 on Py3. Or if you just document (as PyYAML did) that playing recording is vulnerable to attack if PyYAML is < 4.0.

0reactions

lamenezescommented, Sep 20, 2018

I believe this was fixed by PyYAML. If the problem persists feel free to open another issue. Thanks everyone for the discussion 😃

Top Results From Across the Web

Yaml-4.1 failed to serialize or deserialize numpy objects. #177

This is a deliberately change. Previously PyYAML's default for serialization/deserialization was to use a dangerous subset of yaml that allowed ...

Showcasing the Importance of Secure Defaults with a ...

PyYAML is a python library that allows users to serialize and deserialize data to the commonly used .yml format. It is consistently in...

PyYAML · PyPI

YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for...

Python yaml import fails with "NameError: name 'Serializer' is ...

I am using a python script which uses 'yaml'(pyyaml) module to serialise some files. The script was running fine for some time.

js-yaml - npm

YAML 1.2 parser and serializer. Latest version: 4.1.0, last published: 2 years ago. Start using js-yaml in your project by running `npm i ......