Use yaml.safe_load instead of yaml.load

We currently use yaml.load to read a user-written config file. This can lead to malicious code execution, so we should use yaml.safe_load instead. Found using bandit. Change-Id: I27792f0435bc3cb9b9d31846d07a8d47a1e7679d
2015-10-21 17:08:12 +02:00 · 2015-10-21 17:08:12 +02:00 · c4a7ac0b65
commit c4a7ac0b65
parent a3fa8ffec9
2 changed files with 4 additions and 4 deletions
--- a/oslo_messaging/notify/_impl_routing.py
+++ b/oslo_messaging/notify/_impl_routing.py
@ -61,7 +61,7 @@ class RoutingDriver(notifier.Driver):
            return

        # Infer which drivers are used from the config file.
-        self.routing_groups = yaml.load(
+        self.routing_groups = yaml.safe_load(
            self._get_notifier_config_file(filename))
        if not self.routing_groups:
            self.routing_groups = {}  # In case we got None from load()
--- a/oslo_messaging/tests/notify/test_notifier.py
+++ b/oslo_messaging/tests/notify/test_notifier.py
@ -412,7 +412,7 @@ group_1:
          - blah.zoo.*
          - zip
        """
-        groups = yaml.load(config)
+        groups = yaml.safe_load(config)
        group = groups['group_1']

        # No matching event ...
@ -443,7 +443,7 @@ group_1:
          - info
          - error
        """
-        groups = yaml.load(config)
+        groups = yaml.safe_load(config)
        group = groups['group_1']

        # No matching priority
@ -476,7 +476,7 @@ group_1:
      accepted_events:
          - foo.*
        """
-        groups = yaml.load(config)
+        groups = yaml.safe_load(config)
        group = groups['group_1']

        # Valid event, but no matching priority