Fix Namespace loading in PyYAML 5.4.x #6673
Conversation
chris-boson
requested review from
awaelchli,
Borda,
carmocca,
justusschock,
SeanNaren,
tchaton and
williamFalcon
as code owners
pytorch_lightning/core/saving.py
Outdated
| @@ -350,7 +350,7 @@ def load_hparams_from_yaml(config_yaml: str, use_omegaconf: bool = True) -> Dict | |||
| return {} | |||
|
|
|||
| with fs.open(config_yaml, "r") as fp: | |||
| hparams = yaml.load(fp, Loader=yaml.UnsafeLoader) | |||
| hparams = yaml.load(fp, Loader=yaml.Loader) | |||
There was a problem hiding this comment.
@chris-boson Why replace this?
There was a problem hiding this comment.
Actually I think this does just default to UnsafeLoader, but it doesn't seem to cause problems with pyyaml 5.4.x functionality wise.
I think if we want to use SafeLoader we need to add our own Loader and add constructors yaml/pyyaml#482 (comment)
There was a problem hiding this comment.
Similar to this https://stackoverflow.com/a/52586430
There was a problem hiding this comment.
we are fine with declare own Loader, @chris-boson mind send a suggestion?
Borda
requested review from
ananyahjha93,
edenlightning,
SkafteNicki and
teddykoker
as code owners
|
@chris-boson pls target master as default branch |
chris-boson
force-pushed
the
enhance/pyyaml54
branch
from
b07843b to
02d2dd9
Compare
Codecov Report
@@ Coverage Diff @@
## master #6673 +/- ##
=======================================
- Coverage 91% 87% -4%
=======================================
Files 200 200
Lines 12929 12929
=======================================
- Hits 11780 11222 -558
- Misses 1149 1707 +558 |
|
@Borda Are we ok with just removing Alternatively we need to add our own |
requirements.txt
Outdated
| @@ -4,7 +4,7 @@ numpy>=1.16.6 | |||
| torch>=1.4 | |||
| future>=0.17.1 # required for builtins in setup.py | |||
| # pyyaml>=3.13 | |||
| PyYAML>=5.1, !=5.4.* # OmegaConf requirement >=5.1 | |||
| PyYAML>=5.1 # OmegaConf requirement >=5.1 | |||
There was a problem hiding this comment.
OmegaConf 2.0 and newer declares it's version dependency on pyyaml so this line should no longer been needed (At some point in the far past it didn't, which was the reason for adding this in the first place).
https://github.com/omry/omegaconf/blob/2.0_branch/requirements/base.txt
chris-boson
force-pushed
the
enhance/pyyaml54
branch
3 times, most recently
from
f29491e to
2eab087
Compare
we do not want any future versions like 6.x or so... so rather ban specific version if needed |
|
@chris-boson how is it going here? |
chris-boson
force-pushed
the
enhance/pyyaml54
branch
from
8c2833b to
487b327
Compare
@Borda I added a yaml loader for Namespace objects, we would need to add constructors for other objects we want to load safely (one of the tests is failing) |
|
So to use SafeLoader we would need to add constructors for every object serialized? Should we just use the UnsafeLoader then? AFAIK this was the case before, and we can't guarantee what will be saved to |
Yeah, at least it wouldn't be any worse than it was before. So effectively we'd just take out the PyYAML!=5.4.* from requirements |
|
Exactly, @Borda, do you agree? |
but isn't that change in PyYAML for the future, is there an expectation that 5.5 will be fine? |
We can put <=5.4.1? |
chris-boson
force-pushed
the
enhance/pyyaml54
branch
from
487b327 to
9a499cc
Compare
chris-boson
force-pushed
the
enhance/pyyaml54
branch
from
9a499cc to
7bb5ba2
Compare
chris-boson
force-pushed
the
enhance/pyyaml54
branch
from
7bb5ba2 to
5990971
Compare
|
@chris-boson what's blocking this? |
seems like your approval :] |
What does this PR do?
This fixes Namespace loading with PyYAML 5.4.x, which was restricted due to a security vulnerability.
Related issues:
#5606
#5619
Fixes #6666
fixes #7291
Before submitting
PR review
Anyone in the community is free to review the PR once the tests have passed.
Before you start reviewing make sure you have read Review guidelines. In short, see the following bullet-list:
Did you have fun?
Make sure you had fun coding 🙃