Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Why does PyYAML 5.1 raise YAMLLoadWarning when the default loader has been made safer already?
See original GitHub issueHere is my code:
import yaml
yaml.load('foo')
This code leads to the following warning with PyYAML (5.1).
$ pip install pyyaml
$ python3 foo.py
foo.py:2: YAMLLoadWarning: calling yaml.load() without Loader=... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details.
yaml.load('foo')
So I visited https://msg.pyyaml.org/load to see what this is about but I do not understand the need for this warning.
First, the documentation says,
UnsafeLoader(also calledLoaderfor backwards compatability)The original Loader code that could be easily exploitable by untrusted data input.
Okay, that makes sense. In an earlier version, the original loader was unsafe. Further, it says,
FullLoaderLoads the full YAML language. Avoids arbitrary code execution. This is currently (PyYAML 5.1) the default loader called by
yaml.load(input)(after issuing the warning).
So the current version uses FullLoader which is not unsafe. This is confirmed again in the document.
The load function was also made much safer by disallowing the execution of arbitrary functions by the default loader (
FullLoader).
If the current version that uses FullLoader is not unsafe, then why do we need the YAMLLoadWarning at all?
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I just want my YAML loaded. I don’t care about best practices, moral views of creators and other unrelated stuff. You made it more secure? Awesome, good job. But make changes unnoticeable: set securest loader by default. It’s service library and it should make things done and not “educate users”.
And if you like to cite principles, here is one for you too: https://en.wikipedia.org/wiki/Open–closed_principle
Flectra has a problem with pyyaml 5.1, which would not need to be. I just changed
=Loaderto=FullLoaderconsistently in__init__()and then flectra works with 5.1. Why the change in onlyload()to make it inconsistent with the other functions in__init__.py?I would suggest some tests that test the interface of pyyaml as a whole, i.e. the interoperability of the functions, like
add_constructor()andload(). Use these tests to verify that changes do not change the interface. Interface changes do produce a lot of effort. We’ve seen this with the Python 3 move.I wonder whether semantic versioning is the right way to go at all. New interfaces should rather be handled via a new name and be installable in parallel. So we would have pyyaml5 1.0 instead of pyyaml 5.1.0. In code we would do
import yaml5instead ofimport yaml.