Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Dependencies: update requirement to
pyyaml~=5.4
(#221)
The versions of `pyyaml` up to v5.4 contained severe security issues where the default loaders could be abused for arbitrary code execution. The default `FullLoader` was patched to, but as a result, data sets that could be successfully deserialized with it, now will fail. The update caused a few tests to fail. The `rmq.test_communications:test_launch_nowait` test was hanging because the communicator that was being used, used the default decoder that is defined for the `Communicator`. This is defined in `kiwipy` to be the `FullLoader`. This safe loader can no longer be used since our message payloads cannot be deserialized by it, causing the message receive to fail, which caused the test to hang since it was waiting indefinitely for a response. The solution is to change the decoder for the communicator in the test to use the `Loader` which can load the payloads. Next, the test `rmq.test_process_comms:test_status` was also hanging for a very similar reason. The `Process.get_status_info` method returns a dictionary containing an instance of the `ProcessState` enum. The new `FullLoader` refuses to load this for safety reasons and so the message receiver excepts causing the test to hang waiting for the response. The solution is to serialize the value ourselves simply by converting it to its string representation. Note that this was already being done for the `status_info` key, duplicating the information, which is therefore removed. Finally, `mypy` complained about using `yaml.Loader` directly. This is fixed by using the explicit import path for the JSON loader in the `Excepted.load_instance_state`. Note that `Loader` is identical to `UnsafeLoader` and the latter is merely kept for backward compatiblity purposes, so here we change `UnsafeLoader` with the preferred `Loader`.
- Loading branch information