Hello,
in December the maintainer of ply announced its abandonment. I'd like to ask if there are any plans regarding ply. pycparser currently bundles the version 3.10 which was released in 2017. Through a static analysis we have found out there are problems with this version.
Defect type: SIGMA.unsafe_deserialization
1. ply-3.11/build/lib/ply/yacc.py:2011: Sigma main event: The application uses reflection to deserialize data to arbitrary objects by invoking the dangerous `load()` or `loads()` functions from the `pickle` library. If the application passes untrusted data to these functions, an attacker can achieve remote code execution (RCE) by creating malicious serialized objects.
The problem was later fixed in this commit (dabeaz/ply@1fac9fe), but it was never properly released. We've tried to build from this commit in Fedora (where we unbundle ply and have pycparser depend on the actual package), but the build fails with:
+ /usr/bin/python3 _build_tables.py
Traceback (most recent call last):
File "/builddir/build/BUILD/python-pycparser-2.22-build/pycparser-release_v2.22/pycparser/_build_tables.py", line 29, in <module>
c_parser.CParser(
~~~~~~~~~~~~~~~~^
lex_optimize=True,
^^^^^^^^^^^^^^^^^^
yacc_debug=False,
^^^^^^^^^^^^^^^^^
yacc_optimize=True)
^^^^^^^^^^^^^^^^^^^
File "/builddir/build/BUILD/python-pycparser-2.22-build/pycparser-release_v2.22/pycparser/../pycparser/c_parser.py", line 83, in __init__
self.clex.build(
~~~~~~~~~~~~~~~^
optimize=lex_optimize,
^^^^^^^^^^^^^^^^^^^^^^
lextab=lextab,
^^^^^^^^^^^^^^
outputdir=taboutputdir)
^^^^^^^^^^^^^^^^^^^^^^^
File "/builddir/build/BUILD/python-pycparser-2.22-build/pycparser-release_v2.22/pycparser/../pycparser/c_lexer.py", line 65, in build
self.lexer = lex.lex(object=self, **kwargs)
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
TypeError: lex() got an unexpected keyword argument 'optimize'
In the farewell message the maintainer also mentioned No further maintenance is expected. At this point, there are many high-quality parsing libraries that you might consider using instead.
Would you consider move to a different library or is it better idea to focus on making pycparser buildable from the latest ply's commit.
Thank you.
Hello,
in December the maintainer of ply announced its abandonment. I'd like to ask if there are any plans regarding ply. pycparser currently bundles the version 3.10 which was released in 2017. Through a static analysis we have found out there are problems with this version.
The problem was later fixed in this commit (dabeaz/ply@1fac9fe), but it was never properly released. We've tried to build from this commit in Fedora (where we unbundle ply and have pycparser depend on the actual package), but the build fails with:
In the farewell message the maintainer also mentioned
No further maintenance is expected. At this point, there are many high-quality parsing libraries that you might consider using instead.Would you consider move to a different library or is it better idea to focus on making pycparser buildable from the latest ply's commit.
Thank you.