launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~pelpsi/txpkgupload:fix-yaml-load into txpkgupload:master

To: mp+487666@xxxxxxxxxxxxxxxxxx
From: Simone Pelosi <mp+487666@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jun 2025 13:38:25 -0000
Reply-to: mp+487666@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Simone Pelosi has proposed merging ~pelpsi/txpkgupload:fix-yaml-load into txpkgupload:master.

Commit message:
    Use yaml.safe_load instead of yaml.load

    The application performs deserialization by invoking the function 'yaml.load()'. By default, this function is vulnerable to deserialization RCE attacks when handling untrusted input.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~pelpsi/txpkgupload/+git/txpkgupload/+merge/487666
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~pelpsi/txpkgupload:fix-yaml-load into txpkgupload:master.

diff --git a/developing.rst b/developing.rst
new file mode 100644
index 0000000..d7a84c6
--- /dev/null
+++ b/developing.rst
@@ -0,0 +1,44 @@
+How to set up a development environment
+***************************************
+
+First of all, it is recommended that you create an lxc container, since the
+following steps will make changes in your system. 
+And since some build types will only work with virtualized containers, creating an 
+lxc vm is the best way to go. 
+
+You can learn more about LXC and set them up 
+here: https://ubuntu.com/server/docs/lxd-containers
+
+
+PS: If you just want to run the test suite, creating a container is
+sufficient.
+
+You can create a VM with the following command:
+
+.. code:: bash
+
+        lxc launch --vm ubuntu:focal txpkgupload
+
+Note that you may want to have a profile to share the source code with the
+container before running the above command.
+
+Next switch into the vm:
+
+.. code:: bash
+
+        lxc shell txpkgupload
+
+Then, inside the container clone the repo and install the necessary dependencies:
+
+.. code:: bash
+
+        git clone https://git.launchpad.net/txpkgupload
+        cd txpkgupload
+        sudo apt install make virtualenv build-essential libssl-dev libffi-dev python3-dev
+        make
+
+This should be enough for you to be able to run the test suite:
+
+.. code:: bash
+
+        make check
diff --git a/src/txpkgupload/plugin.py b/src/txpkgupload/plugin.py
index a1df540..c9287a1 100644
--- a/src/txpkgupload/plugin.py
+++ b/src/txpkgupload/plugin.py
@@ -143,7 +143,7 @@ class Config(Schema):
     @classmethod
     def parse(cls, stream):
         """Load a YAML configuration from `stream` and validate."""
-        return cls.to_python(yaml.load(stream))
+        return cls.to_python(yaml.safe_load(stream))
 
     @classmethod
     def load(cls, filename):
diff --git a/src/txpkgupload/tests/test_plugin.py b/src/txpkgupload/tests/test_plugin.py
index 20740d6..13123f9 100644
--- a/src/txpkgupload/tests/test_plugin.py
+++ b/src/txpkgupload/tests/test_plugin.py
@@ -212,12 +212,12 @@ class PkgUploadFixture(DeferringFixture):
         top = os.path.join(
             os.path.dirname(__file__), os.pardir, os.pardir, os.pardir)
         with open(os.path.join(top, "etc", "txpkgupload.yaml")) as stream:
-            config = yaml.load(stream)
+            config = yaml.safe_load(stream)
         config["access_log"] = os.path.join(
             self.root, "txpkgupload-access.log")
         if self.extra_config is not None:
             deep_update(
-                config, yaml.load(io.StringIO(self.extra_config)))
+                config, yaml.safe_load(io.StringIO(self.extra_config)))
         # Make some paths absolute to cope with tests running in a different
         # working directory.
         for key in ("host_key_private", "host_key_public"):
@@ -282,7 +282,7 @@ class FTPServer(DeferringFixture):
         top = os.path.join(
             os.path.dirname(__file__), os.pardir, os.pardir, os.pardir)
         with open(os.path.join(top, "etc", "txpkgupload.yaml")) as stream:
-            config = yaml.load(stream)
+            config = yaml.safe_load(stream)
         self.port = config["ftp"]["port"]
 
     def _setUp(self):
@@ -419,7 +419,7 @@ class SFTPServer(DeferringFixture):
         top = os.path.join(
             os.path.dirname(__file__), os.pardir, os.pardir, os.pardir)
         with open(os.path.join(top, "etc", "txpkgupload.yaml")) as stream:
-            config = yaml.load(stream)
+            config = yaml.safe_load(stream)
         self.port = int(config["sftp"]["port"].partition(':')[2])
         self.test_private_key = os.path.join(
             os.path.dirname(__file__), "txpkgupload-sftp")