Replace yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ib2bfd11354c6b35c90938c1075729dc7028236a3
2017-03-10 16:18:30 +08:00 · 2017-03-10 16:18:30 +08:00 · bb79184e69
commit bb79184e69
parent 5705749060
1 changed files with 1 additions and 1 deletions
--- a/hot/software-config/elements/heat-config-docker-compose/install.d/hook-docker-compose.py
+++ b/hot/software-config/elements/heat-config-docker-compose/install.d/hook-docker-compose.py
@ -79,7 +79,7 @@ def main(argv=sys.argv):

    # convert config to dict
    if not isinstance(config, dict):
-        config = ast.literal_eval(json.dumps(yaml.load(config)))
+        config = ast.literal_eval(json.dumps(yaml.safe_load(config)))

    os.chdir(proj)