From a2c1d16fe6f47dc3b425e67400d4086c57004eae Mon Sep 17 00:00:00 2001
From: Luong Anh Tuan <tuanla@vn.fujitsu.com>
Date: Mon, 16 Jan 2017 16:03:54 +0700
Subject: [PATCH] Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load limits this ability to
simple Python objects like integers or lists.

In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()

[1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Id83e2a28355ba09cf22ea4e422de9b39e4f03c5e
Closes-Bug: #1634265
---
 tripleoclient/v1/overcloud_deploy.py          | 2 +-
 tripleoclient/v1/overcloud_netenv_validate.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tripleoclient/v1/overcloud_deploy.py b/tripleoclient/v1/overcloud_deploy.py
index 085f48046..30f618102 100644
--- a/tripleoclient/v1/overcloud_deploy.py
+++ b/tripleoclient/v1/overcloud_deploy.py
@@ -71,7 +71,7 @@ class DeployOvercloud(command.Command):
         # Update parameters from answers file:
         if args.answers_file is not None:
             with open(args.answers_file, 'r') as answers_file:
-                answers = yaml.load(answers_file)
+                answers = yaml.safe_load(answers_file)
 
             if args.templates is None:
                 args.templates = answers['templates']
diff --git a/tripleoclient/v1/overcloud_netenv_validate.py b/tripleoclient/v1/overcloud_netenv_validate.py
index 03345cc33..34f77d8f7 100644
--- a/tripleoclient/v1/overcloud_netenv_validate.py
+++ b/tripleoclient/v1/overcloud_netenv_validate.py
@@ -43,7 +43,7 @@ class ValidateOvercloudNetenv(command.Command):
         self.log.debug("take_action(%s)" % parsed_args)
 
         with open(parsed_args.netenv, 'r') as net_file:
-            network_data = yaml.load(net_file)
+            network_data = yaml.safe_load(net_file)
 
         cidrinfo = {}
         poolsinfo = {}
@@ -162,7 +162,7 @@ class ValidateOvercloudNetenv(command.Command):
     def NIC_validate(self, resource, path):
         try:
             with open(path, 'r') as nic_file:
-                nic_data = yaml.load(nic_file)
+                nic_data = yaml.safe_load(nic_file)
         except IOError:
             self.log.error(
                 'The resource "%s" reference file does not exist: "%s"',