Skip to content

Commit

Permalink
Merge pull request #416 from intuitem/switch_to_CLoader
Browse files Browse the repository at this point in the history
Switch to CLoader for yaml
  • Loading branch information
ab-smith authored May 13, 2024
2 parents 4c74d0e + 7311bd6 commit c4360c8
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 9 deletions.
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
34. GSA FedRAMP rev5 ☁️🇺🇸
35. Cadre Conformité Cyber France (3CF) v1 (2021) ✈️🇫🇷
36. ANSSI : SecNumCloud ☁️🇫🇷
37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷
37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷

### Community contrib

Expand All @@ -115,8 +115,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant

<br/>

> [!NOTE]
> `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
> [!NOTE] > `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
<br/>

Expand Down Expand Up @@ -198,6 +197,7 @@ For docker setup on a remote server or hypervisor, checkout the [specific instru
- pip 20.3+
- node 18+
- npm 10.2+
- yaml-cpp (brew install yaml-cpp libyaml or apt install libyaml-cpp-dev)

### Running the backend

Expand Down Expand Up @@ -413,7 +413,7 @@ Set DJANGO_DEBUG=False for security reason.
- [Django](https://www.djangoproject.com/) - Python Web Development Framework
- [SvelteKit](https://kit.svelte.dev/) - Frontend framework
- [Gunicorn](https://gunicorn.org/) - Python WSGI HTTP Server for UNIX
- [Caddy](https://caddyserver.com) - The coolest reverse Proxy
- [Caddy](https://caddyserver.com) - The coolest reverse Proxy
- [Gitbook](https://www.gitbook.com) - Documentation platform
- [PostgreSQL](https://www.postgresql.org/) - Open Source RDBMS
- [SQLite](https://www.sqlite.org/index.html) - Open Source RDBMS
Expand Down
2 changes: 1 addition & 1 deletion backend/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ WORKDIR /code

# Configure locales
RUN apt update && \
apt install -y gettext locales && \
apt install -y gettext locales libyaml-cpp0.7 && \
apt clean && \
rm -rf /var/lib/apt/lists/* && \
sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
Expand Down
7 changes: 5 additions & 2 deletions backend/library/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@
from django.http import Http404

import yaml

# interesting thread: https://stackoverflow.com/questions/27743711/can-i-speedup-yaml
from ciso_assistant import settings
from core.models import (
Framework,
Expand Down Expand Up @@ -74,7 +76,7 @@ def get_available_libraries():
libs = AVAILABLE_LIBRARIES.get((fname, modified_time))
if libs is None:
with open(fname, "r", encoding="utf-8") as file:
libs = list(yaml.safe_load_all(file))
libs = list(yaml.load_all(file, Loader=yaml.CSafeLoader))
AVAILABLE_LIBRARIES[(fname, os.path.getmtime(fname))] = libs
for _lib in libs:
if (lib := Library.objects.filter(urn=_lib["urn"]).first()) is not None:
Expand Down Expand Up @@ -152,7 +154,8 @@ def get_library(urn: str) -> dict | None:
# Attempt to directly load the library from its specific YAML file.
if os.path.isfile(path):
with open(path, "r", encoding="utf-8") as file:
library_data = yaml.safe_load(file)
library_data = yaml.load(file, Loader=yaml.CSafeLoader)
# TODO: looks like we are going through here twice, why?
if library_data and library_data.get("urn") == urn:
return library_data
logger.error("File not found", path=path)
Expand Down
4 changes: 2 additions & 2 deletions backend/library/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ def upload_library(self, request):
attachment = request.FILES["file"]
validate_file_extension(attachment)
# Use safe_load to prevent arbitrary code execution.
library = yaml.safe_load(attachment)
library = yaml.load(attachment, Loader=yaml.CSafeLoader)

# This code doesn't handle the library "dependencies" field yet as decribed in the architecture.

Expand All @@ -151,7 +151,7 @@ def upload_library(self, request):
json.dumps({"error": "libraryAlreadyImportedError"}),
status=HTTP_400_BAD_REQUEST,
)
except:
except yaml.YAMLError:
return HttpResponse(
json.dumps({"error": "invalidLibraryFileError"}),
status=HTTP_400_BAD_REQUEST,
Expand Down

0 comments on commit c4360c8

Please sign in to comment.