[Med] Snyk - Arbitrary Code Execution (due 9/10)

[lbeaufort]

Vulnerable module: PyYAML

Introduced through: project@0.0.0 › bandit@1.4.0 › PyYAML@3.13 Removed
Introduced through: project@0.0.0 › flask-apispec@0.6.0.post0 › apispec@0.19.0 › PyYAML@3.13
Introduced through: project@0.0.0 › apispec@0.19.0 › PyYAML@3.13

No current remediation path. Best choice is to see what we can swap out for other packages or remove.

After discussing with @vrajmohan and putting in an issue to apispec to address the PyYAML vulnerability, our best approach is to:

• Update the dependent packages to the latest versions: Upgrade to latest apispec and flask-apispec versions #3356
• Fork the packages and use yaml.safe_load() and use those forked versions in our project
• Update apispec to the latest version if they make the change

[vrajmohan]

There appears to be no release of PyYAML _on PyPI _ beyond 3.13 at this time - https://pypi.org/project/PyYAML/#history. There is a 4.1 release on GitHub but the fixes in it appear to be reversed in the 4.2 tree.

Also, note that there is only a single dependency on PyYAML that remains - from apispec.

The dependency from bandit has been eliminated and the dependency from flask_apispec is indirect, through apispec.

[vrajmohan]

Given that the next PyYAML release is not out yet but is due soon (there are some beta releases), my recommendation is to wait on this for another sprint. Tagging @lbeaufort and @patphongs to inform Jay?

[vrajmohan]

Detailed discussion around the PyYAML release fiasco: yaml/pyyaml#193