Merge pull request #101 from alexander255/master

Deprecate `.add_pyobj` and `.get_pypbj` and stop recommending them in documentation (fixes #96)

Author: whereswaldon

README.md

@@ -104,13 +104,13 @@ Or add a directory recursively:
   'Name': 'fake_dir'}]
 ```
 
-This module also contains some helper functions for adding strings, json, and even python objects to IPFS:
+This module also contains some helper functions for adding strings and JSON to IPFS:
 
 ```py
 >>> lst = [1, 77, 'lol']
->>> api.add_pyobj(lst)
-'QmRFqz1ABQtbMBDfjpMubTaginvpVnf58Y87gheRzGfe4i'
->>> api.get_pyobj(_)
+>>> client.add_json(lst)
+'QmQ4R5cCUYBWiJpNL7mFe4LDrwD6qBr5Re17BoRAY9VNpd'
+>>> client.get_json(_)
 [1, 77, 'lol']
 ```
 

ipfsapi/client.py

@@ -8,6 +8,7 @@
 from __future__ import absolute_import
 
 import os
+import warnings
 
 from . import http, multipart, utils, exceptions, encoding
 
@@ -2126,6 +2127,14 @@ def get_json(self, multihash, **kwargs):
     def add_pyobj(self, py_obj, **kwargs):
         """Adds a picklable Python object as a file to IPFS.
 
+        .. deprecated:: 0.4.2
+           The ``*_pyobj`` APIs allow for arbitrary code execution if abused.
+           Either switch to :meth:`~ipfsapi.Client.add_json` or use
+           ``client.add_bytes(pickle.dumps(py_obj))`` instead.
+
+        Please see :meth:`~ipfsapi.Client.get_pyobj` for the
+        **security risks** of using these methods!
+
         .. code-block:: python
 
             >>> c.add_pyobj([0, 1.0, 2j, '3', 4e5])
@@ -2140,18 +2149,27 @@ def add_pyobj(self, py_obj, **kwargs):
         -------
             str : Hash of the added IPFS object
         """
+        warnings.warn("Using `*_pyobj` on untrusted data is a security risk",
+                      DeprecationWarning)
         return self.add_bytes(encoding.Pickle().encode(py_obj), **kwargs)
 
     def get_pyobj(self, multihash, **kwargs):
         """Loads a pickled Python object from IPFS.
 
+        .. deprecated:: 0.4.2
+           The ``*_pyobj`` APIs allow for arbitrary code execution if abused.
+           Either switch to :meth:`~ipfsapi.Client.get_json` or use
+           ``pickle.loads(client.cat(multihash))`` instead.
+
         .. caution::
 
             The pickle module is not intended to be secure against erroneous or
             maliciously constructed data. Never unpickle data received from an
             untrusted or unauthenticated source.
 
-            See the :mod:`pickle` module documentation for more information.
+            Please **read**
+            `this article <https://www.cs.uic.edu/%7Es/musings/pickle/>`_ to
+            understand the security risks of using this method!
 
         .. code-block:: python
 
@@ -2167,4 +2185,6 @@ def get_pyobj(self, multihash, **kwargs):
         -------
             object : Deserialized IPFS Python object
         """
+        warnings.warn("Using `*_pyobj` on untrusted data is a security risk",
+                      DeprecationWarning)
         return self.cat(multihash, decoder='pickle', **kwargs)