From 6f75509f9cd953fc1b29e8dd20fe3769c565ab70 Mon Sep 17 00:00:00 2001
From: Nam Nguyen Hoai <namnh@vn.fujitsu.com>
Date: Wed, 18 Jan 2017 09:26:49 +0700
Subject: [PATCH] Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the Internet.
The function yaml.safe_load limits this ability to simple Python
objects like integers or lists.

In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()

[1] https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I3f1a756e80b617ba1bcf824ef4dee9a27eb6887a
Closes-Bug: #1634265
---
 monasca_notification/main.py                  | 2 +-
 monasca_notification/plugins/jira_notifier.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/monasca_notification/main.py b/monasca_notification/main.py
index 629127f..bc86265 100644
--- a/monasca_notification/main.py
+++ b/monasca_notification/main.py
@@ -95,7 +95,7 @@ def main(argv=None):
     else:
         config_file = '/etc/monasca/notification.yaml'
 
-    config = yaml.load(open(config_file, 'r'))
+    config = yaml.safe_load(open(config_file, 'r'))
 
     # Setup logging
     logging.config.dictConfig(config['logging'])
diff --git a/monasca_notification/plugins/jira_notifier.py b/monasca_notification/plugins/jira_notifier.py
index 9801db6..02a6bcd 100644
--- a/monasca_notification/plugins/jira_notifier.py
+++ b/monasca_notification/plugins/jira_notifier.py
@@ -83,7 +83,7 @@ class JiraNotifier(AbstractNotifier):
         if (not self.jira_fields_format and self._config.get("custom_formatter")):
             try:
                 with open(self._config.get("custom_formatter")) as f:
-                    jira_fields_format = yaml.load(f)
+                    jira_fields_format = yaml.safe_load(f)
             except Exception:
                 self._log.exception("Unable to read custom_formatter file. Check file location")
                 raise