Replaces yaml.load() with yaml.safe_load()
Python objects returned with Yaml.load() may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. In ordered_load we're adding a custom class so we have to use yaml.load. In order to make it safe, set the base class to SafeLoader instead of Loader. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Co-Authored-By: Monty Taylor <mordred@inaugust.com> Change-Id: I3d5df9898c72c59ddab0ac7562b953e91f470220
This commit is contained in:
parent
32101d84c1
commit
a9c8604bb8
|
@ -65,7 +65,8 @@ in both naming and ordering of parameters at every declaration.
|
|||
"""
|
||||
|
||||
|
||||
def ordered_load(stream, Loader=yaml.Loader, object_pairs_hook=OrderedDict):
|
||||
def ordered_load(
|
||||
stream, Loader=yaml.SafeLoader, object_pairs_hook=OrderedDict):
|
||||
"""Load yaml as an ordered dict
|
||||
|
||||
This allows us to inspect the order of the file on disk to make
|
||||
|
@ -299,7 +300,7 @@ class RestParametersDirective(Table):
|
|||
return
|
||||
|
||||
content = "\n".join(self.content)
|
||||
parsed = yaml.load(content)
|
||||
parsed = yaml.safe_load(content)
|
||||
# self.app.info("Params loaded is %s" % parsed)
|
||||
# self.app.info("Lookup table looks like %s" % lookup)
|
||||
new_content = list()
|
||||
|
|
|
@ -47,7 +47,7 @@ class HTTPResponseCodeDirective(Table):
|
|||
# self.app.info("Fpath: %s" % fpath)
|
||||
try:
|
||||
with open(fpath, 'r') as stream:
|
||||
lookup = yaml.load(stream)
|
||||
lookup = yaml.safe_load(stream)
|
||||
except IOError:
|
||||
self.env.warn(
|
||||
self.env.docname,
|
||||
|
@ -124,7 +124,7 @@ class HTTPResponseCodeDirective(Table):
|
|||
|
||||
def _load_codes(self):
|
||||
content = "\n".join(self.content)
|
||||
parsed = yaml.load(content)
|
||||
parsed = yaml.safe_load(content)
|
||||
|
||||
new_content = list()
|
||||
|
||||
|
|
Loading…
Reference in New Issue