Use SafeLoader to load yaml files

Before this patch yaml.Loader was used by the engine to create custom
yaql-enabled yaml loader. It is unsafe do to so, because yaml.Loader is
capable of creating custom python objects from specifically constructed
yaml files.
After this patch all yaml load operations are performed with safe
loaders instead.
Also use SafeConstructor instead of Constructor.

Change-Id: I61a3c42d73608b5d013285f015a45f4774d264e3
Closes-Bug: #1586079
This commit is contained in:
Kirill Zaitsev 2016-05-27 00:42:38 +03:00
parent 15aa48db29
commit b03c4759aa
4 changed files with 14 additions and 5 deletions

View File

@ -43,7 +43,7 @@ def get_loader(version):
node.end_mark.line + 1,
node.end_mark.column + 1)
class MuranoPlYamlConstructor(yaml.constructor.Constructor):
class MuranoPlYamlConstructor(yaml.constructor.SafeConstructor):
def construct_yaml_map(self, node):
data = MuranoPlDict()
data.source_file_position = build_position(node)
@ -51,7 +51,7 @@ def get_loader(version):
value = self.construct_mapping(node)
data.update(value)
class YaqlYamlLoader(yaml.Loader, MuranoPlYamlConstructor):
class YaqlYamlLoader(yaml.SafeLoader, MuranoPlYamlConstructor):
pass
YaqlYamlLoader.add_constructor(
@ -60,7 +60,7 @@ def get_loader(version):
# workaround for PyYAML bug: http://pyyaml.org/ticket/221
resolvers = {}
for k, v in yaml.Loader.yaml_implicit_resolvers.items():
for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
resolvers[k] = v[:]
YaqlYamlLoader.yaml_implicit_resolvers = resolvers

View File

@ -247,7 +247,7 @@ class DeployTestMixin(zip_utils.ZipUtilsMixin):
"""
component = service.to_dict()
component = json.dumps(component)
return yaml.load(component)
return yaml.safe_load(component)
@classmethod
def get_service_id(cls, service):

View File

@ -87,7 +87,7 @@ class TestCongressRules(unittest.TestCase):
os.path.dirname(inspect.getfile(self.__class__)), file_name)
with open(model_file) as stream:
return yaml.load(stream)
return yaml.safe_load(stream)
def _create_rules_str(self, model_file, package_loader=None):
model = self._load_file(model_file)

View File

@ -0,0 +1,9 @@
---
security:
- cve-2016-4972 has been addressed. In ceveral places
Murano used loaders inherited directly from yaml.Loader
when parsing MuranoPL and UI files from packages.
This is unsafe, because this loader is capable of creating
custom python objects from specifically constructed
yaml files. With this change all yaml loading operations are done
using safe loaders instead.