Inherit custom yaml Loader from yaml.SafeLoader
Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that potentially allows creating arbitrary python objects from specifically formatted yaml tags. This could have happened whenever UI definitions of the package were processed. With this change yaql yaml-Loader no longer allows creating custom python objects. Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765 Closes-Bug: #1586079
This commit is contained in:
parent
be227881e2
commit
0f3745415a
|
@ -63,7 +63,7 @@ def app_by_fqn(request, fqn, catalog=True):
|
|||
|
||||
|
||||
def make_loader_cls():
|
||||
class Loader(yaml.Loader):
|
||||
class Loader(yaml.SafeLoader):
|
||||
pass
|
||||
|
||||
def yaql_constructor(loader, node):
|
||||
|
@ -72,7 +72,7 @@ def make_loader_cls():
|
|||
|
||||
# workaround for PyYAML bug: http://pyyaml.org/ticket/221
|
||||
resolvers = {}
|
||||
for k, v in yaml.Loader.yaml_implicit_resolvers.items():
|
||||
for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
|
||||
resolvers[k] = v[:]
|
||||
Loader.yaml_implicit_resolvers = resolvers
|
||||
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
security:
|
||||
- cve-2016-4972 has been addressed. In ceveral places
|
||||
Murano used loaders inherited directly from yaml.Loader
|
||||
when parsing MuranoPL and UI files from packages.
|
||||
This is unsafe, because this loader is capable of creating
|
||||
custom python objects from specifically constructed
|
||||
yaml files. With this change all yaml loading operations are done
|
||||
using safe loaders instead.
|
Loading…
Reference in New Issue