From 7e11cab57b47cb36260035203553d0e1820ed44b Mon Sep 17 00:00:00 2001
From: Luong Anh Tuan <tuanla@vn.fujitsu.com>
Date: Mon, 16 Jan 2017 15:33:56 +0700
Subject: [PATCH] Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load limits this ability to
simple Python objects like integers or lists.

In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()

[1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Ia45006ce1382022e5c776d06fdc3c33e9b4d8c47
Closes-Bug: #1634265
---
 keystoneauth1/tests/unit/test_betamax_serializer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keystoneauth1/tests/unit/test_betamax_serializer.py b/keystoneauth1/tests/unit/test_betamax_serializer.py
index 3929304f..a69318db 100644
--- a/keystoneauth1/tests/unit/test_betamax_serializer.py
+++ b/keystoneauth1/tests/unit/test_betamax_serializer.py
@@ -44,7 +44,7 @@ class TestBetamaxSerializer(testtools.TestCase):
     def test_serialize(self):
         data = json.loads(open(self.TEST_JSON, 'r').read())
         serialized = self.serializer.serialize(data)
-        data = yaml.load(serialized)
+        data = yaml.safe_load(serialized)
         request = data['http_interactions'][0]['request']
         self.assertEqual(
             'http://keystoneauth-betamax.test/v2.0/tokens',