Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ib825121510cc83384f738fb9eabd9821db57d28a
2017-02-04 11:38:01 +08:00 · 2017-02-04 11:38:01 +08:00 · e58f0dd180
parent 80859a9349
commit e58f0dd180
2 changed files with 5 additions and 5 deletions
--- a/tripleo_common/image/base.py
+++ b/tripleo_common/image/base.py
@ -48,7 +48,7 @@ class BaseImageManager(object):
        for config_file in self.config_files:
            if os.path.isfile(config_file):
                with open(config_file) as cf:
-                    data = yaml.load(cf.read()).get(section)
+                    data = yaml.safe_load(cf.read()).get(section)
                    if not data:
                        return None
                    self.logger.debug('%s JSON: %s' % (section, str(data)))
--- a/tripleo_common/tests/image/test_base.py
+++ b/tripleo_common/tests/image/test_base.py
@ -26,7 +26,7 @@ class TestBaseImageManager(testbase.TestCase):
    def setUp(self):
        super(TestBaseImageManager, self).setUp()

-    @mock.patch('yaml.load', autospec=True)
+    @mock.patch('yaml.safe_load', autospec=True)
    @mock.patch('os.path.isfile', autospec=True)
    def test_load_config_files(self, mock_os_path_isfile, mock_yaml_load):
        mock_yaml_load.return_value = fakes.create_disk_images()
@ -56,7 +56,7 @@ class TestBaseImageManager(testbase.TestCase):

    @mock.patch('tripleo_common.image.base.BaseImageManager.APPEND_ATTRIBUTES',
                ['elements', 'options', 'packages', 'environment'])
-    @mock.patch('yaml.load', autospec=True)
+    @mock.patch('yaml.safe_load', autospec=True)
    @mock.patch('os.path.isfile', autospec=True)
    def test_load_config_files_multiple_files(self, mock_os_path_isfile,
                                              mock_yaml_load):
@ -99,7 +99,7 @@ class TestBaseImageManager(testbase.TestCase):
            'environment': {'test_env': '1', 'test_env2': '0'},
        }], disk_images)

-    @mock.patch('yaml.load', autospec=True)
+    @mock.patch('yaml.safe_load', autospec=True)
    @mock.patch('os.path.isfile', autospec=True)
    def test_load_config_files_missing_image_name(self, mock_os_path_isfile,
                                                  mock_yaml_load):
@ -125,7 +125,7 @@ class TestBaseImageManager(testbase.TestCase):
            self.assertRaises(ImageSpecificationException,
                              base_manager.load_config_files, 'disk_images')

-    @mock.patch('yaml.load', autospec=True)
+    @mock.patch('yaml.safe_load', autospec=True)
    @mock.patch('os.path.isfile', autospec=True)
    def test_load_config_files_single_image(self, mock_os_path_isfile,
                                            mock_yaml_load):