Use yaml.safe_load instead of load.

Fixes security issue and deprecation of simple use of yaml.load without an explicit loader. Change-Id: If47e3fd1cc09c7a1db1fad05a643aa3da04cf26c
2020-12-02 15:46:23 +00:00 · 2020-12-02 15:46:23 +00:00 · 7d473e4d43
commit 7d473e4d43
parent cfcc7d53b3
2 changed files with 7 additions and 6 deletions
--- a/gerritbot/bot.py
+++ b/gerritbot/bot.py
@ -436,7 +436,7 @@ def _main(config):
        raise Exception("Channel Config must be specified in config file.")

    try:
-        channel_config = ChannelConfig(yaml.load(open(fp)))
+        channel_config = ChannelConfig(yaml.safe_load(open(fp)))
    except Exception:
        log = logging.getLogger('gerritbot')
        log.exception("Syntax error in chanel config file")
--- a/gerritbot/tests/unit/test_bot.py
+++ b/gerritbot/tests/unit/test_bot.py
@ -48,14 +48,14 @@ openstack-infra:

 class ChannelConfigTestCase(testtools.TestCase):
    def test_missing_octothorpe(self):
-        channel_config = bot.ChannelConfig(yaml.load(CHANNEL_CONFIG_YAML))
+        channel_config = bot.ChannelConfig(yaml.safe_load(CHANNEL_CONFIG_YAML))
        # TODO(jlvillal): Python 2 only assert. Must change to use
        # six.assertCountEqual() for Python 2/3 compatibility
        self.assertItemsEqual(['#openstack-dev', '#openstack-infra'],
                              channel_config.channels)

    def test_branches(self):
-        channel_config = bot.ChannelConfig(yaml.load(CHANNEL_CONFIG_YAML))
+        channel_config = bot.ChannelConfig(yaml.safe_load(CHANNEL_CONFIG_YAML))
        expected_channels = {'#openstack-dev', '#openstack-infra'}
        self.assertEqual(
            {
@ -65,7 +65,7 @@ class ChannelConfigTestCase(testtools.TestCase):
            channel_config.branches)

    def test_events(self):
-        channel_config = bot.ChannelConfig(yaml.load(CHANNEL_CONFIG_YAML))
+        channel_config = bot.ChannelConfig(yaml.safe_load(CHANNEL_CONFIG_YAML))
        expected_channels = {'#openstack-dev', '#openstack-infra'}
        self.assertEqual(
            {
@ -79,7 +79,7 @@ class ChannelConfigTestCase(testtools.TestCase):
            channel_config.events)

    def test_projects(self):
-        channel_config = bot.ChannelConfig(yaml.load(CHANNEL_CONFIG_YAML))
+        channel_config = bot.ChannelConfig(yaml.safe_load(CHANNEL_CONFIG_YAML))
        self.assertEqual(
            {
                '^openstack/': {'#openstack-infra'},
@ -109,7 +109,8 @@ class GerritTestCase(testtools.TestCase):
    def setUp(self):
        super(GerritTestCase, self).setUp()
        self.ircbot = IrcBotHelper()
-        self.channel_config = bot.ChannelConfig(yaml.load(CHANNEL_CONFIG_YAML))
+        self.channel_config = bot.ChannelConfig(
+            yaml.safe_load(CHANNEL_CONFIG_YAML))
        self.channel = "#openstack-infra"
        self.gerrit = bot.Gerrit(ircbot=self.ircbot,
                                 channel_config=self.channel_config,