Skip to content

Commit 8a5b00b

Browse files
committed
Test srsly.yaml_dump vs. arbitrary objects; clarify test_yaml_safe
1 parent 921ef77 commit 8a5b00b

1 file changed

Lines changed: 14 additions & 8 deletions

File tree

srsly/tests/test_yaml_api.py

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
from .._yaml_api import is_yaml_serializable
77
from ruamel.yaml import YAML
88
from ruamel.yaml.comments import CommentedMap
9+
from ruamel.yaml.representer import RepresenterError
910
from .util import make_tempdir
1011

1112

@@ -101,12 +102,24 @@ def __new__(cls):
101102
return object.__new__(cls)
102103

103104

105+
def test_yaml_no_arbitrary_objects():
106+
"""srsly.write_yaml, unlike PyYAML / ruamel.yaml, does not
107+
support serializing arbitrary Python objects.
108+
"""
109+
m = Malicious()
110+
with pytest.raises(RepresenterError, match=r"cannot represent.*Malicious"):
111+
yaml_dumps(m)
112+
113+
104114
def test_yaml_safe():
105115
"""Old versions of PyYAML / ruamel.yaml were unsafe by default,
106116
with `yaml.load` allowing arbitrary code execution.
107117
Test that srsly does not allow deserializing arbitrary Python objects.
108118
"""
109-
119+
# Craft malicious payload, that in old versions of PyYAML and ruamel.yaml
120+
# would execute arbitrary code upon deserialization.
121+
# Note that this is not possible with srsly's yaml_loads
122+
# (see ).
110123
m = Malicious()
111124
buf = StringIO()
112125
yaml = YAML(typ="full")
@@ -119,10 +132,3 @@ def test_yaml_safe():
119132
yaml_loads(payload)
120133
# No arbitrary code execution happened
121134
assert Malicious.init_count == prev_count
122-
123-
# By default, even the wrapped ruamel.yaml does not allow it;
124-
# you need to explicitly opt in with `typ='unsafe'` (deprecated).
125-
yaml2 = YAML()
126-
buf.seek(0)
127-
_ = yaml2.load(buf)
128-
assert Malicious.init_count == prev_count

0 commit comments

Comments
 (0)