Inherit custom yaml Loader from yaml.SafeLoader

Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that
potentially allows creating arbitrary python objects from specifically
formatted yaml tags. This could have happened whenever UI definitions of
the package were processed.
With this change yaql yaml-Loader no longer allows creating custom python objects.

Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765
Closes-Bug: #1586079
This commit is contained in:
Kirill Zaitsev 2016-05-27 00:11:28 +03:00
parent be227881e2
commit 0f3745415a
2 changed files with 11 additions and 2 deletions

View File

@ -63,7 +63,7 @@ def app_by_fqn(request, fqn, catalog=True):
def make_loader_cls():
class Loader(yaml.Loader):
class Loader(yaml.SafeLoader):
pass
def yaql_constructor(loader, node):
@ -72,7 +72,7 @@ def make_loader_cls():
# workaround for PyYAML bug: http://pyyaml.org/ticket/221
resolvers = {}
for k, v in yaml.Loader.yaml_implicit_resolvers.items():
for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
resolvers[k] = v[:]
Loader.yaml_implicit_resolvers = resolvers

View File

@ -0,0 +1,9 @@
---
security:
- cve-2016-4972 has been addressed. In ceveral places
Murano used loaders inherited directly from yaml.Loader
when parsing MuranoPL and UI files from packages.
This is unsafe, because this loader is capable of creating
custom python objects from specifically constructed
yaml files. With this change all yaml loading operations are done
using safe loaders instead.