PyYAML Deprecation of Full Loader method
burncycl opened this issue · comments
Hello,
The j2cli 0.3.5.post1, Jinja2 2.10 is broken, as it calls a deprecated and vulnerable method (FullLoader) in PyYAML.
Please reference:
Traceback (most recent call last):
File "./venv/bin/j2", line 10, in
sys.exit(main())
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/cli.py", line 175, in main
sys.argv[1:]
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/cli.py", line 141, in render_command
args.import_env
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/context.py", line 192, in read_context_data
context = FORMATSformat
File "/builds/ansible/venv/lib/python3.6/site-packages/j2cli/context.py", line 88, in _parse_yaml
return yaml.load(data_string, Loader=yaml.FullLoader)
AttributeError: module 'yaml' has no attribute 'FullLoader'
Wow I messed up! Sorry :)
I removed the new release from pypi for now. Will fix it in a day or two, and will make sure I understand what I'm doing :D
We import j2cli in a virtual environment at runtime. That said, I modified our requirements.txt to reference the tagged fix. This resolved the issue. Albiet a hacky temporary fix.
py3_requirements.txt
#j2cli[yaml] # Temporarily deprecated due to security issue.
git+git://github.com/kolypto/j2cli.git@v0.3.6
PyYAML==5.1
Thanks for your software and support!
Fixed in 0.3.6.post1
.
I hope it works for you now! :)
Nuked the virtual enviroment, and remade it with just the following:
py3_requirements.txt
j2cli[yaml]
Works!
Can verify the proper version is installed from within the sourced virtual environment:
(venv) $ j2 --version
j2cli 0.3.6.post1, Jinja2 2.10
Thanks again for your support! Have a great one!