Switch to CLoader for yaml

README.md

@@ -106,7 +106,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 34. GSA FedRAMP rev5 ☁️🇺🇸
 35. Cadre Conformité Cyber France (3CF) v1 (2021) ✈️🇫🇷
 36. ANSSI : SecNumCloud ☁️🇫🇷
-37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷    
+37. Cadre Conformité Cyber France (3CF) v2 (2024) ✈️🇫🇷
 
 ### Community contrib
 
@@ -115,8 +115,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 
 <br/>
 
-> [!NOTE]
-> `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
+> [!NOTE] > `*` These frameworks require an extra manual step of getting the latest Excel sheet through their website as their license prevent direct usage.
 
 <br/>
 
@@ -198,6 +197,7 @@ For docker setup on a remote server or hypervisor, checkout the [specific instru
 - pip 20.3+
 - node 18+
 - npm 10.2+
+- yaml-cpp (brew install yaml-cpp libyaml or apt install libyaml-cpp-dev)
 
 ### Running the backend
 
@@ -413,7 +413,7 @@ Set DJANGO_DEBUG=False for security reason.
 - [Django](https://www.djangoproject.com/) - Python Web Development Framework
 - [SvelteKit](https://kit.svelte.dev/) - Frontend framework
 - [Gunicorn](https://gunicorn.org/) - Python WSGI HTTP Server for UNIX
-- [Caddy](https://caddyserver.com) - The coolest reverse Proxy 
+- [Caddy](https://caddyserver.com) - The coolest reverse Proxy
 - [Gitbook](https://www.gitbook.com) - Documentation platform
 - [PostgreSQL](https://www.postgresql.org/) - Open Source RDBMS
 - [SQLite](https://www.sqlite.org/index.html) - Open Source RDBMS

backend/Dockerfile

@@ -9,7 +9,7 @@ WORKDIR /code
 
 # Configure locales
 RUN apt update && \
-    apt install -y gettext locales && \
+    apt install -y gettext locales libyaml-cpp0.7 && \
     apt clean && \
     rm -rf /var/lib/apt/lists/* && \
     sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \

backend/library/utils.py

@@ -8,6 +8,8 @@
 from django.http import Http404
 
 import yaml
+
+# interesting thread: https://stackoverflow.com/questions/27743711/can-i-speedup-yaml
 from ciso_assistant import settings
 from core.models import (
     Framework,
@@ -74,7 +76,7 @@ def get_available_libraries():
         libs = AVAILABLE_LIBRARIES.get((fname, modified_time))
         if libs is None:
             with open(fname, "r", encoding="utf-8") as file:
-                libs = list(yaml.safe_load_all(file))
+                libs = list(yaml.load_all(file, Loader=yaml.CSafeLoader))
             AVAILABLE_LIBRARIES[(fname, os.path.getmtime(fname))] = libs
         for _lib in libs:
             if (lib := Library.objects.filter(urn=_lib["urn"]).first()) is not None:
@@ -152,7 +154,8 @@ def get_library(urn: str) -> dict | None:
         # Attempt to directly load the library from its specific YAML file.
         if os.path.isfile(path):
             with open(path, "r", encoding="utf-8") as file:
-                library_data = yaml.safe_load(file)
+                library_data = yaml.load(file, Loader=yaml.CSafeLoader)
+                # TODO: looks like we are going through here twice, why?
                 if library_data and library_data.get("urn") == urn:
                     return library_data
         logger.error("File not found", path=path)

backend/library/views.py

@@ -133,7 +133,7 @@ def upload_library(self, request):
             attachment = request.FILES["file"]
             validate_file_extension(attachment)
             # Use safe_load to prevent arbitrary code execution.
-            library = yaml.safe_load(attachment)
+            library = yaml.load(attachment, Loader=yaml.CSafeLoader)
 
             # This code doesn't handle the library "dependencies" field yet as decribed in the architecture.
 
@@ -151,7 +151,7 @@ def upload_library(self, request):
                 json.dumps({"error": "libraryAlreadyImportedError"}),
                 status=HTTP_400_BAD_REQUEST,
             )
-        except:
+        except yaml.YAMLError:
             return HttpResponse(
                 json.dumps({"error": "invalidLibraryFileError"}),
                 status=HTTP_400_BAD_REQUEST,