Replaces yaml.load() with yaml.safe_load()
Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ia5d9f863dc2f0193c7095769b25101b4189a05c0
This commit is contained in:
parent
22e4d44314
commit
1008a51909
|
@ -72,7 +72,7 @@ def open_network_environment_files(netenv_path, template_files):
|
|||
errors = []
|
||||
|
||||
try:
|
||||
network_data = yaml.load(template_files[netenv_path])
|
||||
network_data = yaml.safe_load(template_files[netenv_path])
|
||||
except Exception as e:
|
||||
return ({}, {}, ["Can't open network environment file '{}': {}"
|
||||
.format(netenv_path, e)])
|
||||
|
@ -85,7 +85,7 @@ def open_network_environment_files(netenv_path, template_files):
|
|||
try:
|
||||
nic_configs.append((
|
||||
nic_name, nic_config_path,
|
||||
yaml.load(template_files[nic_config_path])))
|
||||
yaml.safe_load(template_files[nic_config_path])))
|
||||
except Exception as e:
|
||||
errors.append(
|
||||
"Can't open the resource '{}' reference file '{}': {}"
|
||||
|
@ -471,8 +471,8 @@ def duplicate_static_ips(static_ips):
|
|||
|
||||
def validate_node_pool_size(plan_env_path, ip_pools_path, template_files):
|
||||
warnings = []
|
||||
plan_env = yaml.load(template_files[plan_env_path])
|
||||
ip_pools = yaml.load(template_files[ip_pools_path])
|
||||
plan_env = yaml.safe_load(template_files[plan_env_path])
|
||||
ip_pools = yaml.safe_load(template_files[ip_pools_path])
|
||||
|
||||
param_defaults = plan_env.get('parameter_defaults')
|
||||
node_counts = {
|
||||
|
|
|
@ -142,7 +142,7 @@ def vlan_exists_on_switch(vlan_id, introspection_data):
|
|||
for node, content in introspection_data.items():
|
||||
node_valid_lldp = False
|
||||
try:
|
||||
data = yaml.load(content)
|
||||
data = yaml.safe_load(content)
|
||||
except Exception as e:
|
||||
return ["Can't open introspection data : {}" .format(e)], False
|
||||
|
||||
|
|
Loading…
Reference in New Issue