diff --git a/README.md b/README.md
index 2a7a8450b..4f4aacedf 100644
--- a/README.md
+++ b/README.md
@@ -106,7 +106,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
34. GSA FedRAMP rev5 ☁️🇺🇸
35. Cadre Conformité Cyber France (3CF) v1 (2021) ✈️🇫🇷
36. ANSSI : SecNumCloud ☁️🇫🇷
-37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷
+37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷
### Community contrib
@@ -115,8 +115,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
-> [!NOTE]
-> `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
+> [!NOTE] > `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
@@ -198,6 +197,7 @@ For docker setup on a remote server or hypervisor, checkout the [specific instru
- pip 20.3+
- node 18+
- npm 10.2+
+- yaml-cpp (brew install yaml-cpp libyaml or apt install libyaml-cpp-dev)
### Running the backend
@@ -413,7 +413,7 @@ Set DJANGO_DEBUG=False for security reason.
- [Django](https://www.djangoproject.com/) - Python Web Development Framework
- [SvelteKit](https://kit.svelte.dev/) - Frontend framework
- [Gunicorn](https://gunicorn.org/) - Python WSGI HTTP Server for UNIX
-- [Caddy](https://caddyserver.com) - The coolest reverse Proxy
+- [Caddy](https://caddyserver.com) - The coolest reverse Proxy
- [Gitbook](https://www.gitbook.com) - Documentation platform
- [PostgreSQL](https://www.postgresql.org/) - Open Source RDBMS
- [SQLite](https://www.sqlite.org/index.html) - Open Source RDBMS
diff --git a/backend/Dockerfile b/backend/Dockerfile
index d25aeebf7..0a734f180 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -9,7 +9,7 @@ WORKDIR /code
# Configure locales
RUN apt update && \
- apt install -y gettext locales && \
+ apt install -y gettext locales libyaml-cpp0.7 && \
apt clean && \
rm -rf /var/lib/apt/lists/* && \
sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
diff --git a/backend/library/utils.py b/backend/library/utils.py
index 66a737df2..a9c7ee22f 100644
--- a/backend/library/utils.py
+++ b/backend/library/utils.py
@@ -8,6 +8,8 @@
from django.http import Http404
import yaml
+
+# interesting thread: https://stackoverflow.com/questions/27743711/can-i-speedup-yaml
from ciso_assistant import settings
from core.models import (
Framework,
@@ -74,7 +76,7 @@ def get_available_libraries():
libs = AVAILABLE_LIBRARIES.get((fname, modified_time))
if libs is None:
with open(fname, "r", encoding="utf-8") as file:
- libs = list(yaml.safe_load_all(file))
+ libs = list(yaml.load_all(file, Loader=yaml.CSafeLoader))
AVAILABLE_LIBRARIES[(fname, os.path.getmtime(fname))] = libs
for _lib in libs:
if (lib := Library.objects.filter(urn=_lib["urn"]).first()) is not None:
@@ -152,7 +154,8 @@ def get_library(urn: str) -> dict | None:
# Attempt to directly load the library from its specific YAML file.
if os.path.isfile(path):
with open(path, "r", encoding="utf-8") as file:
- library_data = yaml.safe_load(file)
+ library_data = yaml.load(file, Loader=yaml.CSafeLoader)
+ # TODO: looks like we are going through here twice, why?
if library_data and library_data.get("urn") == urn:
return library_data
logger.error("File not found", path=path)
diff --git a/backend/library/views.py b/backend/library/views.py
index 7baa5e4ae..4124cb947 100644
--- a/backend/library/views.py
+++ b/backend/library/views.py
@@ -133,7 +133,7 @@ def upload_library(self, request):
attachment = request.FILES["file"]
validate_file_extension(attachment)
# Use safe_load to prevent arbitrary code execution.
- library = yaml.safe_load(attachment)
+ library = yaml.load(attachment, Loader=yaml.CSafeLoader)
# This code doesn't handle the library "dependencies" field yet as decribed in the architecture.
@@ -151,7 +151,7 @@ def upload_library(self, request):
json.dumps({"error": "libraryAlreadyImportedError"}),
status=HTTP_400_BAD_REQUEST,
)
- except:
+ except yaml.YAMLError:
return HttpResponse(
json.dumps({"error": "invalidLibraryFileError"}),
status=HTTP_400_BAD_REQUEST,