Replaces yaml.load() with yaml.safe_load() for fuel-agent
Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I5fb95063402e5adffeee0c2ead7adfd44eb76179
This commit is contained in:
parent
d5ac595f92
commit
31c2a87e61
|
@ -28,7 +28,7 @@ class Configuration(object):
|
|||
data = {}
|
||||
if os.path.exists(config_file):
|
||||
with open(config_file) as f:
|
||||
data = yaml.load(f)
|
||||
data = yaml.safe_load(f)
|
||||
else:
|
||||
# TODO(atolochkova): need to add logger
|
||||
sys.stderr.write("The config file couldn't be found: {0}"
|
||||
|
|
|
@ -664,7 +664,7 @@ class Nailgun(base.BaseDataDriver):
|
|||
'.yaml'
|
||||
metadata_url = urljoin(root_uri, filename)
|
||||
try:
|
||||
image_meta = yaml.load(
|
||||
image_meta = yaml.safe_load(
|
||||
utils.init_http_request(metadata_url).text)
|
||||
except Exception as e:
|
||||
LOG.exception(e)
|
||||
|
|
|
@ -430,7 +430,7 @@ def parse_release_file(content):
|
|||
# multivalued field. so we can parse it just like yaml
|
||||
# and then perform additional transformation for those
|
||||
# fields (we know which ones are multivalues).
|
||||
data = yaml.load(content)
|
||||
data = yaml.safe_load(content)
|
||||
|
||||
for attr, columns in six.iteritems(_multivalued_fields):
|
||||
if attr not in data:
|
||||
|
@ -870,7 +870,7 @@ def dump_runtime_uuid(uuid, config):
|
|||
utils.makedirs_if_not_exists(os.path.dirname(config))
|
||||
if os.path.isfile(config):
|
||||
with open(config, 'r') as f:
|
||||
data = yaml.load(f)
|
||||
data = yaml.safe_load(f)
|
||||
data['runtime_uuid'] = uuid
|
||||
LOG.debug('Save runtime_uuid:%s to file: %s', uuid, config)
|
||||
with open(config, 'wt') as f:
|
||||
|
|
Loading…
Reference in New Issue