Replaces yaml.load() with yaml.safe_load()

Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I85c5a4e17bc79c62d946a1dd0c9e85b527961926 Partial-Bug: #1634265
2017-01-16 16:59:18 +07:00 · 2017-01-16 16:59:18 +07:00 · 40d02088e4
parent 72195791db
commit 40d02088e4
2 changed files with 2 additions and 2 deletions
--- a/tempest/cmd/workspace.py
+++ b/tempest/cmd/workspace.py
@ -151,7 +151,7 @@ class WorkspaceManager(object):
        if not os.path.isfile(self.path):
            return
        with open(self.path, 'r') as f:
-            self.workspaces = yaml.load(f) or {}
+            self.workspaces = yaml.safe_load(f) or {}


 class TempestWorkspace(command.Command):
--- a/tempest/common/preprov_creds.py
+++ b/tempest/common/preprov_creds.py
@ -33,7 +33,7 @@ LOG = logging.getLogger(__name__)
 def read_accounts_yaml(path):
    try:
        with open(path, 'r') as yaml_file:
-            accounts = yaml.load(yaml_file)
+            accounts = yaml.safe_load(yaml_file)
    except IOError:
        raise lib_exc.InvalidConfiguration(
            'The path for the test accounts file: %s '