Replace deprecated yaml loader

mwbenowitz · mwbenowitz · commit 36b4898e2d61 · 2019-04-30T10:45:22.000-04:00
Replaces the deprecated pyyaml `load` method with the `full_load`
method, which prevents arbitrary code execution. Includes a test
suite for the `read` helper method.
diff --git a/aws_lambda/aws_lambda.py b/aws_lambda/aws_lambda.py
@@ -752,7 +752,7 @@ def get_concurrency(cfg):
 
 
 def read_cfg(path_to_config_file, profile_name):
-    cfg = read(path_to_config_file, loader=yaml.load)
+    cfg = read(path_to_config_file, loader=yaml.full_load)
     if profile_name is not None:
         cfg['profile'] = profile_name
     elif 'AWS_PROFILE' in os.environ:
diff --git a/tests/unit/test_readHelper.py b/tests/unit/test_readHelper.py
@@ -0,0 +1,41 @@
+import os
+import unittest
+import yaml
+from yaml import YAMLLoadWarning
+from aws_lambda.helpers import read
+
+class TestReadHelper(unittest.TestCase):
+
+    TEST_FILE = 'readTmp.txt'
+
+    def setUp(self):
+        with open(TestReadHelper.TEST_FILE, 'w') as tmp_file:
+            tmp_file.write('testYaml: testing')
+    
+    def tearDown(self):
+        os.remove(TestReadHelper.TEST_FILE)
+    
+    def test_read_no_loader_non_binary(self):
+        fileContents = read(TestReadHelper.TEST_FILE)
+        self.assertEqual(fileContents, 'testYaml: testing')
+    
+    def test_read_yaml_loader_non_binary(self):
+        testYaml = read(TestReadHelper.TEST_FILE, loader=yaml.full_load)
+        self.assertEqual(testYaml['testYaml'], 'testing')
+    
+    def test_read_no_loader_binary_mode(self):
+        fileContents = read(TestReadHelper.TEST_FILE, binary_file=True)
+        self.assertEqual(fileContents, b'testYaml: testing')
+    
+    def test_read_yaml_loader_binary_mode(self):
+        testYaml = read(
+            TestReadHelper.TEST_FILE,
+            loader=yaml.full_load,
+            binary_file=True
+        )
+        self.assertEqual(testYaml['testYaml'], 'testing')
+    
+    def test_read_yaml_old_load_warns(self):
+        with self.assertWarns(YAMLLoadWarning):
+            testYaml = read(TestReadHelper.TEST_FILE, loader=yaml.load)
+            self.assertEqual(testYaml['testYaml'], 'testing')
