From 50135a8017a5cd4147c6a5457c30102cb427845c Mon Sep 17 00:00:00 2001 From: Nguyen Hung Phuong Date: Tue, 13 Feb 2018 13:15:01 +0700 Subject: [PATCH] Replaces yaml.load() with yaml.safe_load() Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ifc5c911170c6d173c3ab8f387a63d5089c0aac13 --- list_oslo_projects.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/list_oslo_projects.py b/list_oslo_projects.py index 3eae67e..50848c2 100755 --- a/list_oslo_projects.py +++ b/list_oslo_projects.py @@ -32,7 +32,7 @@ def main(): 'governance')) project_input = os.path.join(gov_repo, 'reference/projects.yaml') with open(project_input, 'r') as f: - project = yaml.load(f.read()) + project = yaml.safe_load(f.read()) repos = [] for v in project['oslo']['deliverables'].values():