Use yaml.safe_loader instead of yaml.loader
yaml.loader is unsafe from a security perspective. From the documentation: Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. I am pretty sure we don't want k8s users calling any python function ;-) Change-Id: I7d2bb64d7920f530657426d2a1dc5780ebb95a47 Paritally-Implements: blueprint gate-bandit
This commit is contained in:
parent
9c8cd8005c
commit
27cf87da87
|
@ -19,11 +19,6 @@ import yaml
|
|||
from magnum.openstack.common._i18n import _
|
||||
|
||||
|
||||
if hasattr(yaml, 'CSafeLoader'):
|
||||
yaml_loader = yaml.CSafeLoader
|
||||
else:
|
||||
yaml_loader = yaml.SafeLoader
|
||||
|
||||
if hasattr(yaml, 'CSafeDumper'):
|
||||
yaml_dumper = yaml.CSafeDumper
|
||||
else:
|
||||
|
@ -34,13 +29,6 @@ def _construct_yaml_str(self, node):
|
|||
# Override the default string handling function
|
||||
# to always return unicode objects
|
||||
return self.construct_scalar(node)
|
||||
yaml_loader.add_constructor(u'tag:yaml.org,2002:str', _construct_yaml_str)
|
||||
# Unquoted dates like 2013-05-23 in yaml files get loaded as objects of type
|
||||
# datetime.data which causes problems in API layer when being processed by
|
||||
# openstack.common.jsonutils. Therefore, make unicode string out of timestamps
|
||||
# until jsonutils can handle dates.
|
||||
yaml_loader.add_constructor(u'tag:yaml.org,2002:timestamp',
|
||||
_construct_yaml_str)
|
||||
|
||||
|
||||
def parse(manifest_str):
|
||||
|
@ -55,7 +43,7 @@ def parse(manifest_str):
|
|||
manifest = json.loads(manifest_str)
|
||||
else:
|
||||
try:
|
||||
manifest = yaml.load(manifest_str, Loader=yaml_loader)
|
||||
manifest = yaml.safe_load(manifest_str)
|
||||
except yaml.YAMLError as yea:
|
||||
yea = six.text_type(yea)
|
||||
msg = _('Error parsing manifest: %s') % yea
|
||||
|
|
|
@ -13,12 +13,6 @@
|
|||
import yaml
|
||||
|
||||
|
||||
if hasattr(yaml, 'CSafeLoader'):
|
||||
yaml_loader = yaml.CSafeLoader
|
||||
else:
|
||||
yaml_loader = yaml.SafeLoader
|
||||
|
||||
|
||||
if hasattr(yaml, 'CSafeDumper'):
|
||||
yaml_dumper = yaml.CSafeDumper
|
||||
else:
|
||||
|
@ -27,7 +21,7 @@ else:
|
|||
|
||||
def load(s):
|
||||
try:
|
||||
yml_dict = yaml.load(s, yaml_loader)
|
||||
yml_dict = yaml.safe_load(s)
|
||||
except yaml.YAMLError as exc:
|
||||
msg = 'An error occurred during YAML parsing.'
|
||||
if hasattr(exc, 'problem_mark'):
|
||||
|
|
Loading…
Reference in New Issue