-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support !import
and !include
in awx import -f yaml
command
#8136
Support !import
and !include
in awx import -f yaml
command
#8136
Conversation
This is a proposal solution, keeping the diff as small as possible. I can update/change as required if something more complex may be needed. |
Build failed.
|
Build succeeded.
|
@@ -140,7 +140,7 @@ def handle(self, client, parser): | |||
if fmt == 'json': | |||
data = json.load(client.stdin) | |||
elif fmt == 'yaml': | |||
data = yaml.safe_load(client.stdin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's some alarm bells going off for me for the security implications here:
https://pyyaml.org/wiki/PyYAMLDocumentation
Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I am aware of load
vs safe_load
, but this is not an issue here, since we do specify a "safe" loader.
The safety implications of yaml.load()
stem from the fact that yaml.Loader
is unsafe. Here, we use awxkit.yaml_file.Loader
which inherits from yaml.SafeLoader
, so to me it seems equivalent from a safety standpoint.
Also, yaml.safe_load()
is simply an alias for yaml.load(..., loader=SafeLoader)
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, yep!
Sorry, I wasn't looking closely enough at this PR. Thanks, @neoaggelos.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty reasonable to me.
@jbradberry or @elyezer either of you want to give it awhirl and sign off?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works for me, barring some problems with a dependency that wasn't installed.
Build succeeded (gate pipeline).
|
SUMMARY
Closes #8135
ISSUE TYPE
COMPONENT NAME
AWX VERSION
ADDITIONAL INFORMATION
The description in #8135 should be enough, let me know if something is not clear.