PyYML (Python in YAML)
This library, `pyyml` (version 0.0.2), aims to integrate Python code execution directly within YAML documents. Released in 2019, it appears to be an unmaintained project with its last release several years ago, focusing on enabling Python names and expressions to be evaluated during YAML loading. This functionality, while seemingly powerful, introduces significant security vulnerabilities, as arbitrary Python code can be executed from untrusted YAML sources. It is distinct from the widely used and actively maintained `PyYAML` library.
Warnings
- breaking The `pyyml` library is extremely old (last release 2019) and appears to be unmaintained. It is not compatible with modern Python practices or security standards. Use of this library may lead to unexpected behavior or system instability on newer Python versions.
- breaking Using `pyyml` for 'Python in YAML' introduces severe security vulnerabilities. The `PythonLoader` explicitly enables the execution of arbitrary Python code (via `!!python/eval` and `!!python/name`) during YAML loading. This means that processing untrusted YAML input with `pyyml` can lead to remote code execution (RCE) or other malicious activities.
- gotcha The `pyyml` library is distinct from `PyYAML`, the widely adopted YAML parser. Installing `pyyml` will not give you the `PyYAML` package, and vice-versa. Attempting to use `import yaml` after only installing `pyyml` will likely result in an `ImportError` if `PyYAML` is not also installed.
Install
-
pip install pyyml
Imports
- PythonLoader
from pyyml.pyyml import PythonLoader
- PythonDumper
from pyyml.pyyml import PythonDumper
- yaml
import yaml
Quickstart
import yaml
from pyyml.pyyml import PythonLoader, PythonDumper
# Example YAML with Python code (!!python/eval and !!python/name)
yaml_string = """
message: !!python/eval "'Hello, ' + 'World!'"
version_info: !!python/name 'sys.version_info'
calculate: !!python/eval "lambda x, y: x + y"
"""
# Load the YAML using PythonLoader
data = yaml.load(yaml_string, Loader=PythonLoader)
print(f"Message: {data['message']}")
print(f"Python Version Info: {data['version_info']}")
print(f"Calculation (5 + 3): {data['calculate'](5, 3)}")
# Example of dumping (if PythonDumper is used for custom types)
python_data = {
'my_list': [1, 2, 3],
'my_tuple': (4, 5),
'my_set': {6, 7}
}
# Note: PythonDumper may not handle all arbitrary Python objects without custom constructors/representers.
# For simple types, it behaves like SafeDumper.
dumped_yaml = yaml.dump(python_data, Dumper=PythonDumper, default_flow_style=False)
print("\nDumped YAML:")
print(dumped_yaml)