Use yaml.safe_loader instead of yaml.loader

yaml.loader is unsafe from a security perspective. From the documentation: Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. I am pretty sure we don't want k8s users calling any python function ;-) Change-Id: I7d2bb64d7920f530657426d2a1dc5780ebb95a47 Paritally-Implements: blueprint gate-bandit
2015-04-08 10:31:40 -07:00 · 2015-04-08 10:31:40 -07:00 · 27cf87da87
parent 9c8cd8005c
commit 27cf87da87
2 changed files with 2 additions and 20 deletions
--- a/magnum/common/k8s_manifest.py
+++ b/magnum/common/k8s_manifest.py
@ -19,11 +19,6 @@ import yaml
 from magnum.openstack.common._i18n import _


-if hasattr(yaml, 'CSafeLoader'):
-    yaml_loader = yaml.CSafeLoader
-else:
-    yaml_loader = yaml.SafeLoader
-
 if hasattr(yaml, 'CSafeDumper'):
    yaml_dumper = yaml.CSafeDumper
 else:
@ -34,13 +29,6 @@ def _construct_yaml_str(self, node):
    # Override the default string handling function
    # to always return unicode objects
    return self.construct_scalar(node)
-yaml_loader.add_constructor(u'tag:yaml.org,2002:str', _construct_yaml_str)
-# Unquoted dates like 2013-05-23 in yaml files get loaded as objects of type
-# datetime.data which causes problems in API layer when being processed by
-# openstack.common.jsonutils. Therefore, make unicode string out of timestamps
-# until jsonutils can handle dates.
-yaml_loader.add_constructor(u'tag:yaml.org,2002:timestamp',
-                            _construct_yaml_str)


 def parse(manifest_str):
@ -55,7 +43,7 @@ def parse(manifest_str):
        manifest = json.loads(manifest_str)
    else:
        try:
-            manifest = yaml.load(manifest_str, Loader=yaml_loader)
+            manifest = yaml.safe_load(manifest_str)
        except yaml.YAMLError as yea:
            yea = six.text_type(yea)
            msg = _('Error parsing manifest: %s') % yea
--- a/magnum/common/yamlutils.py
+++ b/magnum/common/yamlutils.py
@ -13,12 +13,6 @@
 import yaml


-if hasattr(yaml, 'CSafeLoader'):
-    yaml_loader = yaml.CSafeLoader
-else:
-    yaml_loader = yaml.SafeLoader
-
-
 if hasattr(yaml, 'CSafeDumper'):
    yaml_dumper = yaml.CSafeDumper
 else:
@ -27,7 +21,7 @@ else:

 def load(s):
    try:
-        yml_dict = yaml.load(s, yaml_loader)
+        yml_dict = yaml.safe_load(s)
    except yaml.YAMLError as exc:
        msg = 'An error occurred during YAML parsing.'
        if hasattr(exc, 'problem_mark'):