Merge "Disable the use of anchors when parsing yaml"

2019-12-17 15:28:09 +00:00 · 2019-12-17 15:28:09 +00:00 · bc46b29f01
commit bc46b29f01
parent 844978824d eac23d9e77
6 changed files with 146 additions and 13 deletions
--- a/mistral/event_engine/default_event_engine.py
+++ b/mistral/event_engine/default_event_engine.py
@ -23,7 +23,6 @@ from oslo_log import log as logging
 from oslo_service import threadgroup
 from oslo_utils import fnmatch
 import six
-import yaml

 from mistral import context as auth_ctx
 from mistral.db.v2 import api as db_api
@ -33,6 +32,7 @@ from mistral import expressions
 from mistral import messaging as mistral_messaging
 from mistral.rpc import clients as rpc
 from mistral.services import security
+from mistral.utils import safe_yaml


 LOG = logging.getLogger(__name__)
@ -83,8 +83,8 @@ class NotificationsConverter(object):
                config = cf.read()

            try:
-                definition_cfg = yaml.safe_load(config)
-            except yaml.YAMLError as err:
+                definition_cfg = safe_yaml.load(config)
+            except safe_yaml.YAMLError as err:
                if hasattr(err, 'problem_mark'):
                    mark = err.problem_mark
                    errmsg = (
--- a/mistral/lang/parser.py
+++ b/mistral/lang/parser.py
@ -15,7 +15,6 @@

 import cachetools
 import threading
-import yaml
 from yaml import error

 import six
@ -27,6 +26,7 @@ from mistral.lang.v2 import actions as actions_v2
 from mistral.lang.v2 import tasks as tasks_v2
 from mistral.lang.v2 import workbook as wb_v2
 from mistral.lang.v2 import workflows as wf_v2
+from mistral.utils import safe_yaml

 V2_0 = '2.0'

@ -50,7 +50,7 @@ def parse_yaml(text):
    """

    try:
-        return yaml.safe_load(text) or {}
+        return safe_yaml.load(text) or {}
    except error.YAMLError as e:
        raise exc.DSLParsingException(
            "Definition could not be parsed: %s\n" % e
--- a/mistral/services/workflows.py
+++ b/mistral/services/workflows.py
@ -12,12 +12,12 @@
 #    See the License for the specific language governing permissions and
 #    limitations under the License.

-import yaml

 from mistral.db.v2 import api as db_api
 from mistral import exceptions as exc
 from mistral.lang import parser as spec_parser
 from mistral import services
+from mistral.utils import safe_yaml
 from mistral.workflow import states
 from mistral_lib import utils
 from oslo_log import log as logging
@ -95,7 +95,7 @@ def _append_all_workflows(definition, is_system, scope, namespace,
                          wf_list_spec, db_wfs):
    wfs = wf_list_spec.get_workflows()

-    wfs_yaml = yaml.load(definition) if len(wfs) != 1 else None
+    wfs_yaml = safe_yaml.load(definition) if len(wfs) != 1 else None

    for wf_spec in wfs:
        if len(wfs) != 1:
@ -135,7 +135,7 @@ def update_workflows(definition, scope='private', identifier=None,

    db_wfs = []

-    wfs_yaml = yaml.load(definition) if len(wfs) != 1 else None
+    wfs_yaml = safe_yaml.load(definition) if len(wfs) != 1 else None

    with db_api.transaction():
        for wf_spec in wfs:
@ -205,7 +205,7 @@ def _update_workflow(wf_spec, definition, scope, identifier=None,


 def _cut_wf_definition_from_all(wfs_yaml, wf_name):
-    return yaml.dump({
+    return safe_yaml.dump({
        'version': wfs_yaml['version'],
        wf_name: wfs_yaml[wf_name]
    })
--- a/mistral/tests/unit/lang/v2/base.py
+++ b/mistral/tests/unit/lang/v2/base.py
@ -14,11 +14,11 @@

 import copy

-import yaml

 from mistral import exceptions as exc
 from mistral.lang import parser as spec_parser
 from mistral.tests.unit import base
+from mistral.utils import safe_yaml
 from mistral_lib import utils


@ -75,9 +75,10 @@ class WorkflowSpecValidationTestCase(base.BaseTest):
            dsl_yaml = base.get_resource(self._resource_path + '/' + dsl_file)

            if changes:
-                dsl_dict = yaml.safe_load(dsl_yaml)
+                dsl_dict = safe_yaml.safe_load(dsl_yaml)
                utils.merge_dicts(dsl_dict, changes)
-                dsl_yaml = yaml.safe_dump(dsl_dict, default_flow_style=False)
+                dsl_yaml = safe_yaml.safe_dump(dsl_dict,
+                                               default_flow_style=False)
        else:
            dsl_dict = copy.deepcopy(self._dsl_blank)

@ -87,7 +88,7 @@ class WorkflowSpecValidationTestCase(base.BaseTest):
            if changes:
                utils.merge_dicts(dsl_dict, changes)

-            dsl_yaml = yaml.safe_dump(dsl_dict, default_flow_style=False)
+            dsl_yaml = safe_yaml.safe_dump(dsl_dict, default_flow_style=False)

        if not expect_error:
            return self._spec_parser(dsl_yaml)
--- a/mistral/tests/unit/utils/test_safeLoader.py
+++ b/mistral/tests/unit/utils/test_safeLoader.py
@ -0,0 +1,70 @@
+#  Copyright 2019 - Nokia Corporation
+#
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from unittest import TestCase
+
+from mistral.utils import safe_yaml
+
+
+class TestSafeLoader(TestCase):
+    def test_safe_load(self):
+        yaml_text = """
+        version: '2.0'
+
+        wf1:
+          type: direct
+
+          input:
+            - a: &a ["lol","lol","lol","lol","lol"]
+            - b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
+            - c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
+            - d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
+            - e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
+            - f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
+            - g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
+            - h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
+            - i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
+
+
+          tasks:
+            hello:
+              action: std.echo output="Hello"
+              wait-before: 1
+              publish:
+                result: <% task(hello).result %>
+        """
+
+        result = {
+            'version': '2.0',
+            'wf1':
+                {'type': 'direct',
+                 'input': [
+                     {'a': '&a ["lol","lol","lol","lol","lol"]'},
+                     {'b': '&b [*a,*a,*a,*a,*a,*a,*a,*a,*a]'},
+                     {'c': '&c [*b,*b,*b,*b,*b,*b,*b,*b,*b]'},
+                     {'d': '&d [*c,*c,*c,*c,*c,*c,*c,*c,*c]'},
+                     {'e': '&e [*d,*d,*d,*d,*d,*d,*d,*d,*d]'},
+                     {'f': '&f [*e,*e,*e,*e,*e,*e,*e,*e,*e]'},
+                     {'g': '&g [*f,*f,*f,*f,*f,*f,*f,*f,*f]'},
+                     {'h': '&h [*g,*g,*g,*g,*g,*g,*g,*g,*g]'},
+                     {'i': '&i [*h,*h,*h,*h,*h,*h,*h,*h,*h]'}],
+                 'tasks':
+                    {'hello': {
+                        'action': 'std.echo output="Hello"',
+                        'wait-before': 1, 'publish':
+                            {'result': '<% task(hello).result %>'}
+                    }}
+                 }
+        }
+        self.assertEqual(result, safe_yaml.load(yaml_text))
--- a/mistral/utils/safe_yaml.py
+++ b/mistral/utils/safe_yaml.py
@ -0,0 +1,62 @@
+#  Copyright 2019 - Nokia Corporation
+#
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+import yaml
+from yaml import *  # noqa
+
+yaml.SafeDumper.ignore_aliases = lambda *args: True
+
+
+class SafeLoader(yaml.SafeLoader):
+    """Treat '@', '&', '*' as plain string.
+
+       Anchors are not used in mistral workflow. It's better to
+       disable them completely. Anchors can be used as an exploit to a
+       Denial of service attack through expansion (Billion Laughs)
+       see https://en.wikipedia.org/wiki/Billion_laughs_attack.
+       Also this module uses the safe loader by default which is always
+       a better loader.
+
+       When using yaml module to load a yaml file or a string use this
+       module instead of yaml.
+
+       Example:
+         import mistral.utils.safe_yaml as safe_yaml
+         ...
+         ...
+
+         safe_yaml.load(...)
+
+    """
+
+    def fetch_alias(self):
+        return self.fetch_plain()
+
+    def fetch_anchor(self):
+        return self.fetch_plain()
+
+    def check_plain(self):
+        # Modified: allow '@'
+        if self.peek() == '@':
+            return True
+        else:
+            return super(SafeLoader, self).check_plain()
+
+
+def load(stream):
+    return yaml.load(stream, SafeLoader)
+
+
+def safe_load(stream):
+    return load(stream)