mjdorma / funconf Goto Github PK

Funconf uses yaml.load which allows for loading of unsafe yaml including the python/object/apply construct which will arbitrarily load a module and execute a function.

As an example we can do the following with the demo code:

demo.conf

#
# Foo
#
foo:
  bar: 4
  moo:
  - how
  - are
  - you
  buzz: !!python/object/apply:buzz.sus [bar, moo]

#
# Bread
#
bread:
  butter: win
  milk: fail

def sus(bar, moo):
    print "This is awfully suspicious.... %s - %s" % (bar, moo)
    exit()

Might be worth using the safe_load function instead. We are more likely to raise a yaml.constructor.ConstructorError, not sure if this is desirable and whether we should raise it as a more specific error to unsafe behaviour if found...

When a list value is used for a config entry, eg:

devenv:
  solutions: []

funcconf uses shlex.split() to "cast" the command line argument to a list. This behaves badly for Windows paths, for example the following command line:

xbuild devenv --solutions packages\\Solution.sln

results in a "solutions" value of packagesSolution.sln rather than the expected packages\Solution.sln.

Suggestions

Change the cast_list function to use the posix=False argument to shlex.split(), introducted in Python 2.6.

i.e.

value = shlex.splite(value, posix=False)

This works for me, but turning off Posix compatibility may be a bad thing. An alternative would be to handle backslashes in the input string as a special case, eg:

value = value.replace('\\', 'xxBACKSLASHxx')
value = [v.replace('xxBACKSLASHxx', '\\') for v in shlex.split(value)]

When decorating a function using multiple config elements a TypeError('too many positional arguments') is raised.

This can be reproduced using the 'demo.conf' in the documentation with the following code.

import begin
import funconf

config = funconf.Config('demo.conf')

@begin.subcommand
@config.foo
@config.bread
def foo(**k):
    "This is the foo code"
    print("Foo got %s" % k)
    print("Config is:")
    print(config)

@begin.start
def entry():
    "This is a super dooper program..."
    pass

The following traceback is produced:

Traceback (most recent call last):
  File "demo.py", line 31, in 
    @begin.start
  File "C:\Anaconda\lib\site-packages\begin\main.py", line 135, in start
    return _start(func)
  File "C:\Anaconda\lib\site-packages\begin\main.py", line 117, in _start
    prog.start()
  File "C:\Anaconda\lib\site-packages\begin\main.py", line 55, in start
    opts, sub_group=self._group, collector=self._collector)
  File "C:\Anaconda\lib\site-packages\begin\cmdline.py", line 237, in apply_opti
ons
    return_value = call_function(subfunc, signature(subfunc), opts)
  File "C:\Anaconda\lib\site-packages\begin\cmdline.py", line 217, in call_funct
ion
    return func(*pargs, **kwargs)
  File "C:\Anaconda\lib\site-packages\funconf.py", line 401, in wrapper
    return func(*args, **kwargs)
  File "C:\Anaconda\lib\site-packages\funconf.py", line 248, in wrapper
    return func(*args, **kwargs)
  File "C:\Anaconda\lib\site-packages\funconf.py", line 379, in wrapper
    arguments = OrderedDict(sig.bind(*args, **kwargs).arguments)
  File "C:\Anaconda\lib\site-packages\funcsigs\__init__.py", line 771, in bind
    return self._bind(args, kwargs)
  File "C:\Anaconda\lib\site-packages\funcsigs\__init__.py", line 707, in _bind
    raise TypeError('too many positional arguments')
TypeError: too many positional arguments

Running a -h runs without error