Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1] https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I9136d7bc684400e52ebf2cba3bd212a27c4954a2 Closes-Bug: #1634265
2017-01-18 09:37:53 +07:00 · 2017-01-18 09:37:53 +07:00 · 8c6ff61556
parent 0bf504066f
commit 8c6ff61556
1 changed files with 2 additions and 2 deletions
--- a/extensions/mistral/forms.py
+++ b/extensions/mistral/forms.py
@ -25,11 +25,11 @@ class BaseWorkbookForm(forms.SelfHandlingForm):

 class CreateWorkbookForm(BaseWorkbookForm):
    def handle(self, request, data):
-        json = yaml.load(data['workbook'])
+        json = yaml.safe_load(data['workbook'])
        return api.create_workbook(request, json)


 class EditWorkbookForm(BaseWorkbookForm):
    def handle(self, request, data):
-        json = yaml.load(data['workbook'])
+        json = yaml.safe_load(data['workbook'])
        return api.modify_workbook(request, json)