The Python YAML library's default load()
function will happily attempt to create arbitrary python objects. If you load an attacker-supplied yaml, bad things happen. The enclosed code snippet is an example of how to make bad things happen, since there still seem to be some non-believers.
I hereby claim:
- I am paulmcmillan on github.
- I am paulm (https://keybase.io/paulm) on keybase.
- I have a public key ASDUlo-gEYwyiQP_bebyaZCwfeNqTu9LkDM8aar-toDTaAo
To claim this, I am signing this object:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Use this wrapper with functions in chains that return a tuple. The | |
# next function in the chain will get called with that the contents of | |
# tuple as (first) positional args, rather than just as just the first | |
# arg. Note that both the sending and receiving function must have | |
# this wrapper, which goes between the @task decorator and the | |
# function definition. This wrapper should not otherwise interfere | |
# when these conditions are not met. | |
class UnwrapMe(object): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def iterit(*args, **kwargs): | |
""" | |
This takes some input (int, string, list, iterable, whatever) and | |
makes sure it is an iterable, making it a single item list if not. | |
Importantly, it does rational things with strings. | |
You can pass it more than one item. Cast is optional. | |
def foo(offsets=10): | |
offsets = iterit(offsets, cast=int) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The easiest way to turn multiple commits in a feature branch into a single commit | |
# is to reset the feature branch changes in the master and commit everything again. | |
# Switch to the master branch and make sure you are up to date. | |
git checkout master | |
git fetch # this may be necessary (depending on your git config) to receive updates on origin/master | |
git pull | |
# Merge the feature branch into the master branch. | |
git merge feature_branch |
I hereby claim:
- I am paulmcmillan on github.
- I am paulm (https://keybase.io/paulm) on keybase.
- I have a public key whose fingerprint is 47E3 93A2 74F7 5583 B735 0676 1161 CBFC E675 5113
To claim this, I am signing this object: