Use yaml.SafeLoader instead of yaml.Loader

Before this patch yaml.Loader was used by the client to create custom
yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
capable of creating custom python objects from specifically constructed
yaml files.
UI parsing functions also fell back to yaml.Loader if
the custom loader was not supplied.
After this patch all yaml load operations are performed with safe
loaders instead.

Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
Closes-Bug: #1586078
This commit is contained in:
Kirill Zaitsev 2016-05-27 01:04:31 +03:00
parent 8b3176ec0d
commit cd182ba363
5 changed files with 14 additions and 5 deletions

View File

@ -685,12 +685,12 @@ class Bundle(FileWrapperMixin):
yield pkg_obj yield pkg_obj
class YaqlYamlLoader(yaml.Loader): class YaqlYamlLoader(yaml.SafeLoader):
pass pass
# workaround for PyYAML bug: http://pyyaml.org/ticket/221 # workaround for PyYAML bug: http://pyyaml.org/ticket/221
resolvers = {} resolvers = {}
for k, v in yaml.Loader.yaml_implicit_resolvers.items(): for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
resolvers[k] = v[:] resolvers[k] = v[:]
YaqlYamlLoader.yaml_implicit_resolvers = resolvers YaqlYamlLoader.yaml_implicit_resolvers = resolvers

View File

@ -209,7 +209,7 @@ class ArtifactRepo(object):
ui_stream = "".join( ui_stream = "".join(
self.client.artifacts.download_blob(app_id, 'ui_definition')) self.client.artifacts.download_blob(app_id, 'ui_definition'))
if loader_cls is None: if loader_cls is None:
loader_cls = yaml.Loader loader_cls = yaml.SafeLoader
return yaml.load(ui_stream, loader_cls) return yaml.load(ui_stream, loader_cls)
def get_logo(self, app_id): def get_logo(self, app_id):

View File

@ -42,7 +42,7 @@ def generate_manifest(args):
args.full_name = '{0}.{1}'.format(prefix, normalized_name) args.full_name = '{0}.{1}'.format(prefix, normalized_name)
try: try:
with open(args.template, 'rb') as heat_file: with open(args.template, 'rb') as heat_file:
yaml_content = yaml.load(heat_file) yaml_content = yaml.safe_load(heat_file)
if not args.description: if not args.description:
args.description = yaml_content.get( args.description = yaml_content.get(
'description', 'description',

View File

@ -146,7 +146,7 @@ class PackageManager(base.Manager):
def get_ui(self, app_id, loader_cls=None): def get_ui(self, app_id, loader_cls=None):
if loader_cls is None: if loader_cls is None:
loader_cls = yaml.Loader loader_cls = yaml.SafeLoader
url = '/v1/catalog/packages/{0}/ui'.format(app_id) url = '/v1/catalog/packages/{0}/ui'.format(app_id)
response = self.api.request(url, 'GET') response = self.api.request(url, 'GET')

View File

@ -0,0 +1,9 @@
---
security:
- cve-2016-4972 has been addressed. In ceveral places
Murano used loaders inherited directly from yaml.Loader
when parsing MuranoPL and UI files from packages.
This is unsafe, because this loader is capable of creating
custom python objects from specifically constructed
yaml files. With this change all yaml loading operations are done
using safe loaders instead.