Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1] https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I3f1a756e80b617ba1bcf824ef4dee9a27eb6887a Closes-Bug: #1634265
2017-01-18 09:26:49 +07:00 · 2017-01-18 09:26:49 +07:00 · 6f75509f9c
commit 6f75509f9c
parent 8c504efe04
2 changed files with 2 additions and 2 deletions
--- a/monasca_notification/main.py
+++ b/monasca_notification/main.py
@ -95,7 +95,7 @@ def main(argv=None):
    else:
        config_file = '/etc/monasca/notification.yaml'

-    config = yaml.load(open(config_file, 'r'))
+    config = yaml.safe_load(open(config_file, 'r'))

    # Setup logging
    logging.config.dictConfig(config['logging'])
--- a/monasca_notification/plugins/jira_notifier.py
+++ b/monasca_notification/plugins/jira_notifier.py
@ -83,7 +83,7 @@ class JiraNotifier(AbstractNotifier):
        if (not self.jira_fields_format and self._config.get("custom_formatter")):
            try:
                with open(self._config.get("custom_formatter")) as f:
-                    jira_fields_format = yaml.load(f)
+                    jira_fields_format = yaml.safe_load(f)
            except Exception:
                self._log.exception("Unable to read custom_formatter file. Check file location")
                raise