From 31c2a87e61daff1ab66270e858d2cf7a928d6669 Mon Sep 17 00:00:00 2001
From: gengchc2 <geng.changcai2@zte.com.cn>
Date: Sat, 4 Feb 2017 18:28:36 +0800
Subject: [PATCH] Replaces yaml.load() with yaml.safe_load() for fuel-agent

Yaml.load() return Python object may be dangerous if you receive
a YAML document from an untrusted source such as the Internet.
The function yaml.safe_load() limits this ability to simple Python
objects like integers or lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I5fb95063402e5adffeee0c2ead7adfd44eb76179
---
 .../fuel_bootstrap_cli/fuel_bootstrap/settings.py             | 2 +-
 fuel_agent/drivers/nailgun.py                                 | 2 +-
 fuel_agent/utils/build.py                                     | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/contrib/fuel_bootstrap/fuel_bootstrap_cli/fuel_bootstrap/settings.py b/contrib/fuel_bootstrap/fuel_bootstrap_cli/fuel_bootstrap/settings.py
index ac5d03df..3282ee61 100644
--- a/contrib/fuel_bootstrap/fuel_bootstrap_cli/fuel_bootstrap/settings.py
+++ b/contrib/fuel_bootstrap/fuel_bootstrap_cli/fuel_bootstrap/settings.py
@@ -28,7 +28,7 @@ class Configuration(object):
         data = {}
         if os.path.exists(config_file):
             with open(config_file) as f:
-                data = yaml.load(f)
+                data = yaml.safe_load(f)
         else:
             # TODO(atolochkova): need to add logger
             sys.stderr.write("The config file couldn't be found: {0}"
diff --git a/fuel_agent/drivers/nailgun.py b/fuel_agent/drivers/nailgun.py
index 663adf3c..7222226d 100644
--- a/fuel_agent/drivers/nailgun.py
+++ b/fuel_agent/drivers/nailgun.py
@@ -664,7 +664,7 @@ class Nailgun(base.BaseDataDriver):
             '.yaml'
         metadata_url = urljoin(root_uri, filename)
         try:
-            image_meta = yaml.load(
+            image_meta = yaml.safe_load(
                 utils.init_http_request(metadata_url).text)
         except Exception as e:
             LOG.exception(e)
diff --git a/fuel_agent/utils/build.py b/fuel_agent/utils/build.py
index 3ee05326..82af3241 100644
--- a/fuel_agent/utils/build.py
+++ b/fuel_agent/utils/build.py
@@ -430,7 +430,7 @@ def parse_release_file(content):
     # multivalued field. so we can parse it just like yaml
     # and then perform additional transformation for those
     # fields (we know which ones are multivalues).
-    data = yaml.load(content)
+    data = yaml.safe_load(content)
 
     for attr, columns in six.iteritems(_multivalued_fields):
         if attr not in data:
@@ -870,7 +870,7 @@ def dump_runtime_uuid(uuid, config):
     utils.makedirs_if_not_exists(os.path.dirname(config))
     if os.path.isfile(config):
         with open(config, 'r') as f:
-            data = yaml.load(f)
+            data = yaml.safe_load(f)
     data['runtime_uuid'] = uuid
     LOG.debug('Save runtime_uuid:%s to file: %s', uuid, config)
     with open(config, 'wt') as f: