From cf81bd39a6ebe28d31db48c09d982f9f9d310b6e Mon Sep 17 00:00:00 2001 From: Luong Anh Tuan Date: Wed, 18 Jan 2017 11:46:33 +0700 Subject: [PATCH] Replace yaml.load() with yaml.safe_load() Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ife71148013d5f94ec5ae62633ff9a41f419bd3b7 Closes-Bug: #1634265 --- .../modules/catalog_ci/files/scripts/generate_names.py | 2 +- openstack_catalog/tests/test_openstack_catalog.py | 2 +- tools/asset_history.sh | 2 +- tools/check_app_catalog_yaml.py | 2 +- tools/yaml2json.py | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deployment/catalog-ci-jenkins/modules/catalog_ci/files/scripts/generate_names.py b/deployment/catalog-ci-jenkins/modules/catalog_ci/files/scripts/generate_names.py index 0d82412..6468abd 100755 --- a/deployment/catalog-ci-jenkins/modules/catalog_ci/files/scripts/generate_names.py +++ b/deployment/catalog-ci-jenkins/modules/catalog_ci/files/scripts/generate_names.py @@ -19,7 +19,7 @@ import yaml def yaml_to_dict(infile, k): stream = open(infile, 'r') - rdict = yaml.load(stream)[k] + rdict = yaml.safe_load(stream)[k] return rdict diff --git a/openstack_catalog/tests/test_openstack_catalog.py b/openstack_catalog/tests/test_openstack_catalog.py index 5c067ed..2ce5f77 100644 --- a/openstack_catalog/tests/test_openstack_catalog.py +++ b/openstack_catalog/tests/test_openstack_catalog.py @@ -39,7 +39,7 @@ class TestOpenstack_catalog(testtools.TestCase): return content_file.read() def _read_file(self, file_name): - return yaml.load(self._read_raw_file(file_name)) + return yaml.safe_load(self._read_raw_file(file_name)) def _verify_by_schema(self, file_name, schema): data = self._read_file(file_name) diff --git a/tools/asset_history.sh b/tools/asset_history.sh index 32d8232..97a1926 100755 --- a/tools/asset_history.sh +++ b/tools/asset_history.sh @@ -3,7 +3,7 @@ asset_file="$1" awk '{line+=1}/^ -/{end=line-1; if(start > 0){print start "," end}; count+=1;start=line;}END{print start "," line}' "$asset_file" | while read line; do size=`echo $line | awk -F, '{print $2-$1+1}'` end=`echo $line | awk -F, '{print $2}'` - name=`head -n $end "$asset_file" | tail -n $size | python -c 'import yaml,sys; print yaml.load(sys.stdin)[0]["name"]'` + name=`head -n $end "$asset_file" | tail -n $size | python -c 'import yaml,sys; print yaml.safe_load(sys.stdin)[0]["name"]'` date=`git blame -w -L $line "$asset_file" | sed 's/^[^(]*(\([^)]*\)).*/\1/' | python -c 'import sys,dateutil.parser; print max([dateutil.parser.parse("%s %s%s"%(j[0], j[1], j[2])) for j in [i.split()[-4:] for i in sys.stdin.readlines()]])'` #Dump out the name of the asset, and the last modified date as a json doc to stdout to be reassembled outside the loop into one document (echo $name; echo $date) | python -c 'import sys,json; print json.dumps([i.strip() for i in sys.stdin.readlines()]),' diff --git a/tools/check_app_catalog_yaml.py b/tools/check_app_catalog_yaml.py index dc0786a..9ac9f24 100755 --- a/tools/check_app_catalog_yaml.py +++ b/tools/check_app_catalog_yaml.py @@ -106,7 +106,7 @@ def main(): yaml.add_representer(OrderedDict, project_representer, Dumper=IndentedDumper) - data = yaml.load(open('openstack_catalog/web/static/assets.yaml')) + data = yaml.safe_load(open('openstack_catalog/web/static/assets.yaml')) assets = [] for a in data['assets']: diff --git a/tools/yaml2json.py b/tools/yaml2json.py index d135eef..c2eec35 100644 --- a/tools/yaml2json.py +++ b/tools/yaml2json.py @@ -36,9 +36,9 @@ def dict_merge(a, b): merge = {} for f in args.files: - merge = dict_merge(merge, yaml.load(open(f))['assets']) + merge = dict_merge(merge, yaml.safe_load(open(f))['assets']) -y = yaml.load(sys.stdin) +y = yaml.safe_load(sys.stdin) for a in y['assets']: s = a['service'] if s['type'] == 'heat':