Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive a YAML
document from an untrusted source such as the Internet. The function
yaml.safe_load() limits this ability to simple Python objects like integers or
lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Ia5d9f863dc2f0193c7095769b25101b4189a05c0
This commit is contained in:
Nguyen Hung Phuong 2018-02-13 15:59:35 +07:00
parent 22e4d44314
commit 1008a51909
2 changed files with 5 additions and 5 deletions

View File

@ -72,7 +72,7 @@ def open_network_environment_files(netenv_path, template_files):
errors = []
try:
network_data = yaml.load(template_files[netenv_path])
network_data = yaml.safe_load(template_files[netenv_path])
except Exception as e:
return ({}, {}, ["Can't open network environment file '{}': {}"
.format(netenv_path, e)])
@ -85,7 +85,7 @@ def open_network_environment_files(netenv_path, template_files):
try:
nic_configs.append((
nic_name, nic_config_path,
yaml.load(template_files[nic_config_path])))
yaml.safe_load(template_files[nic_config_path])))
except Exception as e:
errors.append(
"Can't open the resource '{}' reference file '{}': {}"
@ -471,8 +471,8 @@ def duplicate_static_ips(static_ips):
def validate_node_pool_size(plan_env_path, ip_pools_path, template_files):
warnings = []
plan_env = yaml.load(template_files[plan_env_path])
ip_pools = yaml.load(template_files[ip_pools_path])
plan_env = yaml.safe_load(template_files[plan_env_path])
ip_pools = yaml.safe_load(template_files[ip_pools_path])
param_defaults = plan_env.get('parameter_defaults')
node_counts = {

View File

@ -142,7 +142,7 @@ def vlan_exists_on_switch(vlan_id, introspection_data):
for node, content in introspection_data.items():
node_valid_lldp = False
try:
data = yaml.load(content)
data = yaml.safe_load(content)
except Exception as e:
return ["Can't open introspection data : {}" .format(e)], False