diff --git a/README.md b/README.md index 2a7a8450b..4f4aacedf 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant 34. GSA FedRAMP rev5 ☁️🇺🇸 35. Cadre Conformité Cyber France (3CF) v1 (2021) ✈️🇫🇷 36. ANSSI : SecNumCloud ☁️🇫🇷 -37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷 +37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷 ### Community contrib @@ -115,8 +115,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
-> [!NOTE] -> `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage. +> [!NOTE] > `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
@@ -198,6 +197,7 @@ For docker setup on a remote server or hypervisor, checkout the [specific instru - pip 20.3+ - node 18+ - npm 10.2+ +- yaml-cpp (brew install yaml-cpp libyaml or apt install libyaml-cpp-dev) ### Running the backend @@ -413,7 +413,7 @@ Set DJANGO_DEBUG=False for security reason. - [Django](https://www.djangoproject.com/) - Python Web Development Framework - [SvelteKit](https://kit.svelte.dev/) - Frontend framework - [Gunicorn](https://gunicorn.org/) - Python WSGI HTTP Server for UNIX -- [Caddy](https://caddyserver.com) - The coolest reverse Proxy +- [Caddy](https://caddyserver.com) - The coolest reverse Proxy - [Gitbook](https://www.gitbook.com) - Documentation platform - [PostgreSQL](https://www.postgresql.org/) - Open Source RDBMS - [SQLite](https://www.sqlite.org/index.html) - Open Source RDBMS diff --git a/backend/Dockerfile b/backend/Dockerfile index d25aeebf7..0a734f180 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -9,7 +9,7 @@ WORKDIR /code # Configure locales RUN apt update && \ - apt install -y gettext locales && \ + apt install -y gettext locales libyaml-cpp0.7 && \ apt clean && \ rm -rf /var/lib/apt/lists/* && \ sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ diff --git a/backend/library/utils.py b/backend/library/utils.py index 66a737df2..a9c7ee22f 100644 --- a/backend/library/utils.py +++ b/backend/library/utils.py @@ -8,6 +8,8 @@ from django.http import Http404 import yaml + +# interesting thread: https://stackoverflow.com/questions/27743711/can-i-speedup-yaml from ciso_assistant import settings from core.models import ( Framework, @@ -74,7 +76,7 @@ def get_available_libraries(): libs = AVAILABLE_LIBRARIES.get((fname, modified_time)) if libs is None: with open(fname, "r", encoding="utf-8") as file: - libs = list(yaml.safe_load_all(file)) + libs = list(yaml.load_all(file, Loader=yaml.CSafeLoader)) AVAILABLE_LIBRARIES[(fname, os.path.getmtime(fname))] = libs for _lib in libs: if (lib := Library.objects.filter(urn=_lib["urn"]).first()) is not None: @@ -152,7 +154,8 @@ def get_library(urn: str) -> dict | None: # Attempt to directly load the library from its specific YAML file. if os.path.isfile(path): with open(path, "r", encoding="utf-8") as file: - library_data = yaml.safe_load(file) + library_data = yaml.load(file, Loader=yaml.CSafeLoader) + # TODO: looks like we are going through here twice, why? if library_data and library_data.get("urn") == urn: return library_data logger.error("File not found", path=path) diff --git a/backend/library/views.py b/backend/library/views.py index 7baa5e4ae..4124cb947 100644 --- a/backend/library/views.py +++ b/backend/library/views.py @@ -133,7 +133,7 @@ def upload_library(self, request): attachment = request.FILES["file"] validate_file_extension(attachment) # Use safe_load to prevent arbitrary code execution. - library = yaml.safe_load(attachment) + library = yaml.load(attachment, Loader=yaml.CSafeLoader) # This code doesn't handle the library "dependencies" field yet as decribed in the architecture. @@ -151,7 +151,7 @@ def upload_library(self, request): json.dumps({"error": "libraryAlreadyImportedError"}), status=HTTP_400_BAD_REQUEST, ) - except: + except yaml.YAMLError: return HttpResponse( json.dumps({"error": "invalidLibraryFileError"}), status=HTTP_400_BAD_REQUEST,