Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive
a YAML document from an untrusted source such as the Internet.
The function yaml.safe_load() limits this ability to simple Python
objects like integers or lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I78fde872948d6838957e35765c3f182bd4b9b512
This commit is contained in:
gengchc2 2017-02-04 18:21:33 +08:00
parent 49ccdbeb2c
commit 64a549e6db

View File

@ -37,7 +37,7 @@ DEVNULL = open(os.devnull, 'w')
# load the yaml file
with io.open(filename, 'rb') as f:
roles = yaml.load(f)
roles = yaml.safe_load(f)
role_names = []
role_dict = {}
@ -87,7 +87,7 @@ for role in role_names:
# Try to read the dependencies from the role's meta/main.yml
try:
with io.open(os.path.join(role, "meta", "main.yml")) as f:
y = yaml.load(f)
y = yaml.safe_load(f)
for dep in y['dependencies']:
try:
dep = dep['role']