From 08cd1fb33c854be1b976a5f013cc9749352f085f Mon Sep 17 00:00:00 2001
From: Sean McGinnis <sean.mcginnis@gmail.com>
Date: Mon, 27 Jul 2020 16:18:19 -0500
Subject: [PATCH] Switch to PyYaml safe_load

The load() call from PyYaml is considered a higher security risk in that
it uses the FullLoader. safe_loade() is considered more safe by using
the SafeLoader instead.

Since the 5.1 release of PyYaml added warning output when using load(),
this switches over to safe_load() to avoid the unnecessary noise.

Change-Id: I1949deed094822d2c2c56659eadb1fc5ea6a59e5
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
---
 tools/aclissues.py              | 4 ++--
 tools/aclmanager.py             | 2 +-
 tools/membership_freeze_test.py | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tools/aclissues.py b/tools/aclissues.py
index c0603e033a..2ed5ce42a3 100755
--- a/tools/aclissues.py
+++ b/tools/aclissues.py
@@ -85,7 +85,7 @@ def main(args=sys.argv[1:]):
     projectsyaml = os.path.join(args.project_config_repo,
                                 'gerrit', 'projects.yaml')
     acl = {}
-    config = yaml.load(open(projectsyaml))
+    config = yaml.safe_load(open(projectsyaml))
     for project in config:
         aclfilename = project.get('acl-config')
         if aclfilename:
@@ -98,7 +98,7 @@ def main(args=sys.argv[1:]):
     aclbase = os.path.join(args.project_config_repo, 'gerrit', 'acls')
     governanceyaml = os.path.join(args.governance_repo,
                                   'reference', 'projects.yaml')
-    teams = yaml.load(open(governanceyaml))
+    teams = yaml.safe_load(open(governanceyaml))
     for tname, team in teams.items():
         if is_a_team_exception(tname):
             continue
diff --git a/tools/aclmanager.py b/tools/aclmanager.py
index 3deb80bcbb..80b706e094 100755
--- a/tools/aclmanager.py
+++ b/tools/aclmanager.py
@@ -72,7 +72,7 @@ label-Workflow = -1..+1 group {group}
     # Load repo/aclfile mapping from Gerrit config
     projectsyaml = os.path.join(args.repository, 'gerrit', 'projects.yaml')
     acl = {}
-    config = yaml.load(open(projectsyaml))
+    config = yaml.safe_load(open(projectsyaml))
     for project in config:
         aclfilename = project.get('acl-config')
         if aclfilename:
diff --git a/tools/membership_freeze_test.py b/tools/membership_freeze_test.py
index 47b999f164..4488c1ff19 100644
--- a/tools/membership_freeze_test.py
+++ b/tools/membership_freeze_test.py
@@ -37,7 +37,7 @@ def in_governance_but_not_released(args):
     dirs = [args.series, '_independent']
 
     with open(args.projects_yaml, 'r') as projects:
-        teams = yaml.load(projects)
+        teams = yaml.safe_load(projects)
         for tname, team in teams.items():
             if tname in TEAM_EXCEPTIONS:
                 continue