Replaces yaml.load() with yaml.safe_load() for governance

Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Icf559f9c8b37c6f564c820fde79c85a77ba4f839
2017-02-04 18:37:01 +08:00 · 2017-02-04 18:37:01 +08:00 · 1d9b388bf1
commit 1d9b388bf1
parent eb353f2d70
3 changed files with 3 additions and 3 deletions
--- a/doc/source/_exts/projects.py
+++ b/doc/source/_exts/projects.py
@ -38,4 +38,4 @@ def setup(app):
    filename = os.path.abspath('reference/projects.yaml')
    app.info('reading %s' % filename)
    with open(filename, 'r') as f:
-        _projects_yaml = yaml.load(f.read().decode('utf-8'))
+        _projects_yaml = yaml.safe_load(f.read().decode('utf-8'))
--- a/tools/teamstats.py
+++ b/tools/teamstats.py
@ -252,7 +252,7 @@ class ValidateSingleVendor(base.ValidatorBase):
 def main():
    filename = os.path.abspath('reference/projects.yaml')
    with open(filename, 'r') as f:
-        projects = [k for k in yaml.load(f.read())]
+        projects = [k for k in yaml.safe_load(f.read())]
        projects.sort()
    print '<Team> (top commit % | top review % | top core review % | ' \
        'top core reviewer %)'
--- a/tools/validate_tags.py
+++ b/tools/validate_tags.py
@ -47,7 +47,7 @@ def main():
    if not os.path.isfile(filename):
        sys.exit("Projects.yaml was not found at %s" % (filename))
    with open(filename, 'r') as f:
-        teams = yaml.load(f.read())
+        teams = yaml.safe_load(f.read())
    for team in teams:
        # Check team based tags
        for validator in team_validators: