Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I4aac907c2a7ecf9a3f85a1a07ca020df6eb0b756 Closes-Bug: #1634265
2017-01-16 16:14:38 +07:00 · 2017-01-16 16:14:38 +07:00 · 8cec258b80
parent f523285dd0
commit 8cec258b80
1 changed files with 1 additions and 1 deletions
--- a/rally/plugins/openstack/verification/tempest/manager.py
+++ b/rally/plugins/openstack/verification/tempest/manager.py
@ -121,7 +121,7 @@ class TempestManager(testr.TestrLauncher):
                "Cannot list installed Tempest plugins for verifier %s." %
                self.verifier)

-        return yaml.load(output)
+        return yaml.safe_load(output)

    def uninstall_extension(self, name):
        """Uninstall a Tempest plugin."""