From 9aca116d0dcc0a82c0c2e17fdc2b9ab49bcc129d Mon Sep 17 00:00:00 2001 From: Joshua Reed Date: Tue, 26 Feb 2019 08:39:04 -0500 Subject: [PATCH 1/2] revert pyyaml requirement version --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 3692c56f..1652e964 100644 --- a/setup.py +++ b/setup.py @@ -69,7 +69,7 @@ def run_tests(self): }, install_requires=[ "jsonschema<3", - "PyYAML>=4.2b1", + "PyYAML>=3.13", "six", 'pathlib;python_version=="2.7"', ], From dcd0c2a447be43bb06020f76f166438b812e47df Mon Sep 17 00:00:00 2001 From: Joshua Reed Date: Tue, 26 Feb 2019 08:57:52 -0500 Subject: [PATCH 2/2] add security note --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index ef7a9ca7..d570a369 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,21 @@ from openapi_spec_validator import openapi_v3_spec_validator errors_iterator = openapi_v3_spec_validator.iter_errors(spec) ``` +## Security Note + +PyYAML, a requirement of this project, has a +[security vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2017-18342) +in the default implementation of `yaml.load()`, which allows execution +of arbitrary code while loading a target file or stream. OpenAPI Spec +Validator uses a safe loader to ensure that only Python objects +marked as safe can be executed. Thus, you are not exposed to this +vulnerability by using this package. + +If you use `PyYAML` directly, be sure to use `yaml.safe_load()` to +avoid inadvertantly exposing youself to potentially malicous data. The +[PyYAML docs](https://pyyaml.org/wiki/PyYAMLDocumentation#loading-yaml) +describe this issue in detail. + ## Related projects * [openapi-core](https://github.com/p1c2u/openapi-core) is a Python library that adds client-side and server-side support for the OpenAPI.