Using yaml.safe_load instead of yaml.load

It is not safe to call yaml.load with any data received from
an untrusted source, we'd better use yaml.safe_load

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I175ab89d408b38d5370621c0fd2cf78685e951f7

kolla_kubernetes/commands/cmd_resource.py

@@ -165,7 +165,7 @@ class ResourceTemplate(ResourceBase):
 
                 # Execute the command
                 out, err = utils.ExecUtils.exec_command(cmd)
-                y = yaml.load(out)
+                y = yaml.safe_load(out)
                 y['metadata']['namespace'] = variables[nsname]
 
                 res = y
@@ -175,7 +175,7 @@ class ResourceTemplate(ResourceBase):
                     variables,
                     utils.FileUtils.read_string_from_file(
                         rt.getTemplatePath()))
-                res = yaml.load(raw_doc)
+                res = yaml.safe_load(raw_doc)
 
             if args.debug_container is not None:
                 y = res
@@ -322,7 +322,7 @@ class Resource(ResourceTemplate):
 
     def take_action(self, args):
         tmpl = super(Resource, self).take_action(args, skip_and_return=True)
-        y = yaml.load(tmpl)
+        y = yaml.safe_load(tmpl)
         kind = y['kind']
         if kind == 'List':
             first_item = y['items'][0]

kolla_kubernetes/tests/test_helm_templates.py

@@ -40,7 +40,7 @@ class TestK8sTemplatesTest(base.BaseTestCase):
         for package in packages:
             print("    %s" % package)
             with open(os.path.join(microdir, package, 'Chart.yaml')) as stream:
-                version = yaml.load(stream)['version']
+                version = yaml.safe_load(stream)['version']
 
             cmd = "%s template %s/%s-%s.tgz" % (helmbin, repodir,
                                                 package, version)
@@ -48,7 +48,7 @@ class TestK8sTemplatesTest(base.BaseTestCase):
             if err:
                 raise err
 
-            l = yaml.load_all(out)
+            l = yaml.safe_load_all(out)
             for y in l:
                 js = '[]'
                 try:

kolla_kubernetes/tests/test_templates.py

@@ -126,7 +126,7 @@ class TestTemplatesTest(base.BaseTestCase):
 
         def func(args, o):
             # Check if template is yaml
-            y = yaml.load(o)
+            y = yaml.safe_load(o)
             js = '[]'
             try:
                 # If there is an alpha init container, validate it is proper

tests/bin/cleanup_tests.sh

@@ -20,7 +20,7 @@ if [ $(openstack user list --column Name --format value | grep $1 | wc -l) -ne 0
    exit -1
 fi
 user='root'
-password=$(python -c 'import yaml; print yaml.load(open("/etc/kolla/passwords.yml"))["database_password"]')
+password=$(python -c 'import yaml; print yaml.safe_load(open("/etc/kolla/passwords.yml"))["database_password"]')
 if [ $(kubectl exec mariadb-0 -n kolla -- mysql --user=$user --password=$password -e 'show databases;' | grep $1 | wc -l) -ne 0 ]; then
    exit -1
 fi

tools/build_example_yaml.py

@@ -50,7 +50,7 @@ def main():
     for package in [p for p in microservices if _isdir(microdir, p)]:
         values_file = os.path.join(microdir, package, "values.yaml")
         with open(values_file, "r") as f:
-            package_values = yaml.load(f)
+            package_values = yaml.safe_load(f)
             merge_dict(values, package_values)
 
     # Remove some package specific values:

tools/helm_prebuild_microservices.py

@@ -128,7 +128,7 @@ def main():
     srcdir = os.path.join(path, "..", "helm")
     microdir = os.path.join(srcdir, "microservice")
     microservices = os.listdir(microdir)
-    values = yaml.load(open(os.path.join(srcdir, "all_values.yaml")))
+    values = yaml.safe_load(open(os.path.join(srcdir, "all_values.yaml")))
 
     packages = [p for p in microservices if _isdir(microdir, p)]
     count = 1