Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I84640973fd9f45a69d2b21f6d594cd5bf10660a6 Closes-Bug: #1634265
2017-01-16 15:01:51 +07:00 · 2017-01-16 15:01:51 +07:00 · ff8ae43265
parent 50941b13bc
commit ff8ae43265
4 changed files with 4 additions and 4 deletions
--- a/bin/dib-lint
+++ b/bin/dib-lint
@ -233,7 +233,7 @@ for i in $(find elements -type f -name '*.yaml'); do
 import yaml
 import sys
 try:
-    objs = yaml.load(open('$i'))
+    objs = yaml.safe_load(open('$i'))
 except yaml.parser.ParserError:
    sys.exit(1)
 "
--- a/elements/package-installs/bin/package-installs-squash
+++ b/elements/package-installs/bin/package-installs-squash
@ -59,7 +59,7 @@ def collect_data(data, filename, element_name):
    try:
        objs = json.load(open(filename))
    except ValueError:
-        objs = yaml.load(open(filename))
+        objs = yaml.safe_load(open(filename))
    for pkg_name, params in objs.items():
        if not params:
            params = {}
--- a/elements/svc-map/bin/svc-map
+++ b/elements/svc-map/bin/svc-map
@ -24,7 +24,7 @@ def load_service_mapping(filepath="/usr/share/svc-map/services"):
    if not os.path.isfile(filepath):
        return {}
    with open(filepath, 'r') as data_file:
-        return yaml.load(data_file.read())
+        return yaml.safe_load(data_file.read())


 def main():
--- a/elements/svc-map/extra-data.d/10-merge-svc-map-files
+++ b/elements/svc-map/extra-data.d/10-merge-svc-map-files
@ -70,7 +70,7 @@ def main():
            data_path = os.path.join(element_path, element, "svc-map")
            if os.path.exists(data_path):
                with open(data_path, 'r') as dataFile:
-                    data = yaml.load(dataFile.read())
+                    data = yaml.safe_load(dataFile.read())
                    try:
                        service_names = merge_data(
                            data,