Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use PyYAML in frigate app #13809

Closed
wants to merge 5 commits into from
Closed

Do not use PyYAML in frigate app #13809

wants to merge 5 commits into from

Conversation

gtsiam
Copy link
Contributor

@gtsiam gtsiam commented Sep 18, 2024
edited
Loading

Turns out we can do away with PyYAML entirely in frigate itself, so I'll just do that.

Original description:

This is almost the exact same pr as #13803, which was reverted in #13805.

The CodeQL security vulnerability is bullshit (pardon my french) a false positive.

Besides, I can literally execute arbitrary commands in the go2rtc config, what RCE? Security theatre intensifies.

Also, it's not new - You'll notice it flags it even in previous commits. I just happened to touch the relevant code which caused it to think it's "new".

Only change is that I moved the yaml.load() calls to a builtins.load_yaml() function to silence CodeQL when the custom loader is used in the future.

@gtsiam
Ignore entire __pycache__ folder instead of individual *.pyc files
53e92a7
@gtsiam
Rewrite the yaml loader to match PyYAML
532bbc8 
The old implementation would fail in weird ways with configs that were
incorrect in just the right way. The new implementation just does what
PyYAML would do, only diverging in case of duplicate keys.
@gtsiam
Security theatre: Use yaml.load() in one place.
c62c080 
CodeQL complains when you use yaml.load() with custom loaders.
This will at least get it to stfu whenever our custom loader is used.
@netlify Netlify
Copy link

netlify bot commented Sep 18, 2024
edited
Loading

Deploy Preview for frigate-docs canceled.

Name Link
🔨 Latest commit c85ef9a
🔍 Latest deploy log https://app.netlify.com/sites/frigate-docs/deploys/66ea8177aac37d0008226fb3

@gtsiam gtsiam marked this pull request as draft September 18, 2024 06:54
@gtsiam
Copy link
Contributor Author

gtsiam commented Sep 18, 2024

Hold up, ruamel.yaml is already a dependency. Then we don't even need this hack. I'll remove it entirely then.

@gtsiam gtsiam marked this pull request as ready for review September 18, 2024 07:21
@gtsiam gtsiam changed the title Rewrite YAML loader (Security theatre edition) Do not use PyYAML in frigate app Sep 18, 2024
@gtsiam
Copy link
Contributor Author

gtsiam commented Sep 18, 2024

Actually I'm gonna rework much of this in the next PR, so don't bother reviewing it.

@gtsiam gtsiam closed this Sep 18, 2024
@gtsiam gtsiam mentioned this pull request Sep 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gtsiam