Using yaml.safe_load instead of yaml.load

It is not safe to call yaml.load with any data received from an untrusted source, we'd better use yaml.safe_load Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ie921dc046b09493029b2724c39f1f717b37992e4
2017-02-07 11:40:08 +08:00 · 2017-02-07 11:40:08 +08:00 · 5f3cad6c9b
commit 5f3cad6c9b
parent 9795a5f281
2 changed files with 3 additions and 3 deletions
--- a/scripts/run-playbooks.sh
+++ b/scripts/run-playbooks.sh
@ -49,7 +49,7 @@ function get_includes {
  /opt/ansible-runtime/bin/python <<EOC
 import yaml
 with open("${1}") as f:
-    yaml_list = yaml.load(f.read())
+    yaml_list = yaml.safe_load(f.read())
 for item in yaml_list:
    _item = '---\n' + yaml.safe_dump([item], default_flow_style=False, width=1000)
    print(repr(_item).strip("'").strip('"'))
@ -60,7 +60,7 @@ function get_include_file {
  /opt/ansible-runtime/bin/python <<EOC
 import yaml
 with open("${1}") as f:
-    yaml_list = yaml.load(f.read())
+    yaml_list = yaml.safe_load(f.read())
 print(yaml_list[0]['include'])
 EOC
 }
--- a/tests/test_inventory.py
+++ b/tests/test_inventory.py
@ -1306,7 +1306,7 @@ class TestInventoryGroupConstraints(unittest.TestCase):
                - compute_hosts
        """

-        bad_env = yaml.load(override)
+        bad_env = yaml.safe_load(override)

        # This is essentially what load_environment does, after all the file
        # system walking