66from .._yaml_api import is_yaml_serializable
77from ruamel .yaml import YAML
88from ruamel .yaml .comments import CommentedMap
9+ from ruamel .yaml .representer import RepresenterError
910from .util import make_tempdir
1011
1112
@@ -101,12 +102,24 @@ def __new__(cls):
101102 return object .__new__ (cls )
102103
103104
105+ def test_yaml_no_arbitrary_objects ():
106+ """srsly.write_yaml, unlike PyYAML / ruamel.yaml, does not
107+ support serializing arbitrary Python objects.
108+ """
109+ m = Malicious ()
110+ with pytest .raises (RepresenterError , match = r"cannot represent.*Malicious" ):
111+ yaml_dumps (m )
112+
113+
104114def test_yaml_safe ():
105115 """Old versions of PyYAML / ruamel.yaml were unsafe by default,
106116 with `yaml.load` allowing arbitrary code execution.
107117 Test that srsly does not allow deserializing arbitrary Python objects.
108118 """
109-
119+ # Craft malicious payload, that in old versions of PyYAML and ruamel.yaml
120+ # would execute arbitrary code upon deserialization.
121+ # Note that this is not possible with srsly's yaml_loads
122+ # (see ).
110123 m = Malicious ()
111124 buf = StringIO ()
112125 yaml = YAML (typ = "full" )
@@ -119,10 +132,3 @@ def test_yaml_safe():
119132 yaml_loads (payload )
120133 # No arbitrary code execution happened
121134 assert Malicious .init_count == prev_count
122-
123- # By default, even the wrapped ruamel.yaml does not allow it;
124- # you need to explicitly opt in with `typ='unsafe'` (deprecated).
125- yaml2 = YAML ()
126- buf .seek (0 )
127- _ = yaml2 .load (buf )
128- assert Malicious .init_count == prev_count
0 commit comments