openstack
/
heat
Code Issues Proposed changes

Use yaml.safe_load() instead of yaml.load() 

yaml.load() provides the ability to construct an arbitrary python object
that may be dangerous. yaml.safe_load() limits this ability to simple
python objects like integers or lists.

ref: https://en.wikipedia.org/wiki/YAML#Security

Change-Id: I9c28c25f4265fb691d39e72e20ef9c99f5538bf5
This commit is contained in:
Bo Wang 2016-02-16 21:23:53 +08:00
parent 8ef79f95b7
commit d91eea03ac
7 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
heat/tests/openstack/mistral/test_workflow.py
View File

@ -742,7 +742,7 @@ class TestMistralWorkflow(common.HeatTestCase):
return execution return execution
def verify_create_params(self, wf_yaml): def verify_create_params(self, wf_yaml):
wf = yaml.load(wf_yaml)["create_vm"] wf = yaml.safe_load(wf_yaml)["create_vm"]
self.assertEqual(['on_error'], wf["task-defaults"]["on-error"]) self.assertEqual(['on_error'], wf["task-defaults"]["on-error"])
tasks = wf['tasks'] tasks = wf['tasks']

4
heat/tests/openstack/neutron/test_neutron_rbac_policy.py
View File

@ -67,7 +67,7 @@ class RBACPolicyTest(common.HeatTestCase):
self.neutron_client.create_rbac_policy.assert_called_with(expected) self.neutron_client.create_rbac_policy.assert_called_with(expected)
def test_validate_invalid_action(self): def test_validate_invalid_action(self):
tpl = yaml.load(inline_templates.RBAC_TEMPLATE) tpl = yaml.safe_load(inline_templates.RBAC_TEMPLATE)
tpl['resources']['rbac']['properties']['action'] = 'access_as_external' tpl['resources']['rbac']['properties']['action'] = 'access_as_external'
self._create_stack(tmpl=yaml.dump(tpl)) self._create_stack(tmpl=yaml.dump(tpl))
msg = "Invalid action access_as_external for object type network." msg = "Invalid action access_as_external for object type network."
@ -75,7 +75,7 @@ class RBACPolicyTest(common.HeatTestCase):
self.rbac.validate) self.rbac.validate)
def test_validate_invalid_type(self): def test_validate_invalid_type(self):
tpl = yaml.load(inline_templates.RBAC_TEMPLATE) tpl = yaml.safe_load(inline_templates.RBAC_TEMPLATE)
tpl['resources']['rbac']['properties']['object_type'] = 'networks' tpl['resources']['rbac']['properties']['object_type'] = 'networks'
self._create_stack(tmpl=yaml.dump(tpl)) self._create_stack(tmpl=yaml.dump(tpl))
msg = "Invalid object_type: networks. " msg = "Invalid object_type: networks. "

2
heat/tests/test_nested_stack.py
View File

@ -365,7 +365,7 @@ Outputs:
self.stack.store() self.stack.store()
self.patchobject(urlfetch, 'get', return_value=self.nested_template) self.patchobject(urlfetch, 'get', return_value=self.nested_template)
self.nested_parsed = yaml.load(self.nested_template) self.nested_parsed = yaml.safe_load(self.nested_template)
self.nested_params = {"KeyName": "foo"} self.nested_params = {"KeyName": "foo"}
self.defn = rsrc_defn.ResourceDefinition( self.defn = rsrc_defn.ResourceDefinition(
'test_t_res', 'test_t_res',

8
heat_integrationtests/functional/test_aws_stack.py
View File

@ -115,7 +115,7 @@ Outputs:
def test_nested_stack_create_with_timeout(self): def test_nested_stack_create_with_timeout(self):
url = self.publish_template(self.nested_template) url = self.publish_template(self.nested_template)
self.template = self.test_template.replace('the.yaml', url) self.template = self.test_template.replace('the.yaml', url)
timeout_template = yaml.load(self.template) timeout_template = yaml.safe_load(self.template)
props = timeout_template['Resources']['the_nested']['Properties'] props = timeout_template['Resources']['the_nested']['Properties']
props['TimeoutInMinutes'] = '50' props['TimeoutInMinutes'] = '50'
@ -142,7 +142,7 @@ Outputs:
} }
}, },
"environment": {"parameters": {}}, "environment": {"parameters": {}},
"template": yaml.load(self.template) "template": yaml.safe_load(self.template)
} }
stack_identifier = self.stack_adopt(adopt_data=json.dumps(adopt_data)) stack_identifier = self.stack_adopt(adopt_data=json.dumps(adopt_data))
@ -163,7 +163,7 @@ Outputs:
} }
}, },
"environment": {"parameters": {}}, "environment": {"parameters": {}},
"template": yaml.load(self.template) "template": yaml.safe_load(self.template)
} }
stack_identifier = self.stack_adopt(adopt_data=json.dumps(adopt_data), stack_identifier = self.stack_adopt(adopt_data=json.dumps(adopt_data),
@ -180,7 +180,7 @@ Outputs:
stack = self.client.stacks.get(stack_identifier) stack = self.client.stacks.get(stack_identifier)
self.assertEqual('bar', self._stack_output(stack, 'output_foo')) self.assertEqual('bar', self._stack_output(stack, 'output_foo'))
new_template = yaml.load(self.template) new_template = yaml.safe_load(self.template)
props = new_template['Resources']['the_nested']['Properties'] props = new_template['Resources']['the_nested']['Properties']
props['TemplateURL'] = self.publish_template(self.update_template, props['TemplateURL'] = self.publish_template(self.update_template,
cleanup=False) cleanup=False)

2
heat_integrationtests/functional/test_default_parameters.py
View File

@ -75,7 +75,7 @@ outputs:
if not self.temp_def: if not self.temp_def:
# remove the default from the parameter in the nested template. # remove the default from the parameter in the nested template.
ntempl = yaml.load(self.nested_template) ntempl = yaml.safe_load(self.nested_template)
del ntempl['parameters']['length']['default'] del ntempl['parameters']['length']['default']
nested_template = yaml.dump(ntempl) nested_template = yaml.dump(ntempl)
else: else:

20
heat_integrationtests/functional/test_resource_group.py
View File

@ -419,7 +419,7 @@ outputs:
super(ResourceGroupAdoptTest, self).setUp() super(ResourceGroupAdoptTest, self).setUp()
def _yaml_to_json(self, yaml_templ): def _yaml_to_json(self, yaml_templ):
return yaml.load(yaml_templ) return yaml.safe_load(yaml_templ)
def test_adopt(self): def test_adopt(self):
data = { data = {
@ -455,7 +455,7 @@ outputs:
} }
}, },
"environment": {"parameters": {}}, "environment": {"parameters": {}},
"template": yaml.load(self.main_template) "template": yaml.safe_load(self.main_template)
} }
stack_identifier = self.stack_adopt( stack_identifier = self.stack_adopt(
adopt_data=json.dumps(data)) adopt_data=json.dumps(data))
@ -556,7 +556,7 @@ resources:
Simple rolling update with no conflict in batch size Simple rolling update with no conflict in batch size
and minimum instances in service. and minimum instances in service.
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '1' policy['min_in_service'] = '1'
@ -575,7 +575,7 @@ resources:
Simple rolling update replace with no conflict in batch size Simple rolling update replace with no conflict in batch size
and minimum instances in service. and minimum instances in service.
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '1' policy['min_in_service'] = '1'
@ -594,7 +594,7 @@ resources:
Simple rolling update with reduced size. Simple rolling update with reduced size.
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '1' policy['min_in_service'] = '1'
@ -613,7 +613,7 @@ resources:
Simple rolling update with increased size. Simple rolling update with increased size.
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '1' policy['min_in_service'] = '1'
@ -632,7 +632,7 @@ resources:
Update with capacity adjustment with enough resources. Update with capacity adjustment with enough resources.
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '8' policy['min_in_service'] = '8'
@ -652,7 +652,7 @@ resources:
Rolling update with capacity adjustment due to conflict in Rolling update with capacity adjustment due to conflict in
batch size and minimum instances in service. batch size and minimum instances in service.
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '8' policy['min_in_service'] = '8'
@ -671,7 +671,7 @@ resources:
Rolling Update with a huge batch size(more than Rolling Update with a huge batch size(more than
current size). current size).
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '0' policy['min_in_service'] = '0'
@ -689,7 +689,7 @@ resources:
Rolling Update with a huge number of minimum instances Rolling Update with a huge number of minimum instances
in service. in service.
""" """
updt_template = yaml.load(copy.deepcopy(self.template)) updt_template = yaml.safe_load(copy.deepcopy(self.template))
grp = updt_template['resources']['random_group'] grp = updt_template['resources']['random_group']
policy = grp['update_policy']['rolling_update'] policy = grp['update_policy']['rolling_update']
policy['min_in_service'] = '20' policy['min_in_service'] = '20'

4
heat_integrationtests/functional/test_template_resource.py
View File

@ -602,7 +602,7 @@ Outputs:
super(TemplateResourceAdoptTest, self).setUp() super(TemplateResourceAdoptTest, self).setUp()
def _yaml_to_json(self, yaml_templ): def _yaml_to_json(self, yaml_templ):
return yaml.load(yaml_templ) return yaml.safe_load(yaml_templ)
def test_abandon(self): def test_abandon(self):
stack_identifier = self.stack_create( stack_identifier = self.stack_create(
@ -635,7 +635,7 @@ Outputs:
} }
}, },
"environment": {"parameters": {}}, "environment": {"parameters": {}},
"template": yaml.load(self.main_template) "template": yaml.safe_load(self.main_template)
} }
stack_identifier = self.stack_adopt( stack_identifier = self.stack_adopt(