Replace yaml.load() with yaml.safe_load()
Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ifaecff145e91f72911ae05ea274a4977c56212c7 Closes-Bug: #1634265
This commit is contained in:
parent
4376df0bcd
commit
3cf5688141
@ -196,7 +196,7 @@ class YamlUtils(object):
|
||||
def get_dict(yaml_file):
|
||||
'''Returns the dictionary representation of the given YAML spec.'''
|
||||
try:
|
||||
return yaml.load(open(yaml_file))
|
||||
return yaml.safe_load(open(yaml_file))
|
||||
except IOError:
|
||||
return None
|
||||
|
||||
|
@ -68,7 +68,7 @@ class ToscaAutoscaling(HotResource):
|
||||
return yaml.nodes.MappingNode(u'tag:yaml.org,2002:map', nodes)
|
||||
|
||||
def _handle_nested_template(self, scale_res):
|
||||
template_dict = yaml.load(HEAT_TEMPLATE_BASE)
|
||||
template_dict = yaml.safe_load(HEAT_TEMPLATE_BASE)
|
||||
template_dict['description'] = 'Tacker Scaling template'
|
||||
template_dict["resources"] = {}
|
||||
dict_res = OrderedDict()
|
||||
|
@ -214,7 +214,7 @@ class TranslatorShell(object):
|
||||
msg = _('Deploy the generated template, the stack name is %(name)s.')\
|
||||
% {'name': heat_stack_name}
|
||||
log.debug(msg)
|
||||
tpl = yaml.load(translator.translate())
|
||||
tpl = yaml.safe_load(translator.translate())
|
||||
|
||||
# get all the values for get_file from a translated template
|
||||
get_files = []
|
||||
|
Loading…
Reference in New Issue
Block a user