Use yaml.SafeLoader instead of yaml.Loader

Before this patch yaml.Loader was used by the client to create custom yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is capable of creating custom python objects from specifically constructed yaml files. UI parsing functions also fell back to yaml.Loader if the custom loader was not supplied. After this patch all yaml load operations are performed with safe loaders instead. Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b Closes-Bug: #1586078
2016-05-27 01:04:31 +03:00 · 2016-05-27 01:04:31 +03:00 · cd182ba363
parent 8b3176ec0d
commit cd182ba363
5 changed files with 14 additions and 5 deletions
--- a/muranoclient/common/utils.py
+++ b/muranoclient/common/utils.py
@ -685,12 +685,12 @@ class Bundle(FileWrapperMixin):
            yield pkg_obj


-class YaqlYamlLoader(yaml.Loader):
+class YaqlYamlLoader(yaml.SafeLoader):
    pass

 # workaround for PyYAML bug: http://pyyaml.org/ticket/221
 resolvers = {}
-for k, v in yaml.Loader.yaml_implicit_resolvers.items():
+for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
    resolvers[k] = v[:]
 YaqlYamlLoader.yaml_implicit_resolvers = resolvers

--- a/muranoclient/v1/artifact_packages.py
+++ b/muranoclient/v1/artifact_packages.py
@ -209,7 +209,7 @@ class ArtifactRepo(object):
        ui_stream = "".join(
            self.client.artifacts.download_blob(app_id, 'ui_definition'))
        if loader_cls is None:
-            loader_cls = yaml.Loader
+            loader_cls = yaml.SafeLoader
        return yaml.load(ui_stream, loader_cls)

    def get_logo(self, app_id):
--- a/muranoclient/v1/package_creator/hot_package.py
+++ b/muranoclient/v1/package_creator/hot_package.py
@ -42,7 +42,7 @@ def generate_manifest(args):
        args.full_name = '{0}.{1}'.format(prefix, normalized_name)
    try:
        with open(args.template, 'rb') as heat_file:
-            yaml_content = yaml.load(heat_file)
+            yaml_content = yaml.safe_load(heat_file)
            if not args.description:
                args.description = yaml_content.get(
                    'description',
--- a/muranoclient/v1/packages.py
+++ b/muranoclient/v1/packages.py
@ -146,7 +146,7 @@ class PackageManager(base.Manager):

    def get_ui(self, app_id, loader_cls=None):
        if loader_cls is None:
-            loader_cls = yaml.Loader
+            loader_cls = yaml.SafeLoader

        url = '/v1/catalog/packages/{0}/ui'.format(app_id)
        response = self.api.request(url, 'GET')
--- a/releasenotes/notes/safeloader-cve-2016-4972-e3f7ad9b234655ca.yaml
+++ b/releasenotes/notes/safeloader-cve-2016-4972-e3f7ad9b234655ca.yaml
@ -0,0 +1,9 @@
+---
+security:
+  - cve-2016-4972 has been addressed. In ceveral places
+    Murano used loaders inherited directly from yaml.Loader
+    when parsing MuranoPL and UI files from packages.
+    This is unsafe, because this loader is capable of creating
+    custom python objects from specifically constructed
+    yaml files. With this change all yaml loading operations are done
+    using safe loaders instead.