Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I78fde872948d6838957e35765c3f182bd4b9b512
2017-02-04 18:21:33 +08:00 · 2017-02-04 18:21:33 +08:00 · 64a549e6db
commit 64a549e6db
parent 49ccdbeb2c
1 changed files with 2 additions and 2 deletions
--- a/generate_requirements/generate_requirements.py
+++ b/generate_requirements/generate_requirements.py
@ -37,7 +37,7 @@ DEVNULL = open(os.devnull, 'w')

 # load the yaml file
 with io.open(filename, 'rb') as f:
-    roles = yaml.load(f)
+    roles = yaml.safe_load(f)

 role_names = []
 role_dict = {}
@ -87,7 +87,7 @@ for role in role_names:
        # Try to read the dependencies from the role's meta/main.yml
        try:
            with io.open(os.path.join(role, "meta", "main.yml")) as f:
-                y = yaml.load(f)
+                y = yaml.safe_load(f)
            for dep in y['dependencies']:
                try:
                    dep = dep['role']