Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ife71148013d5f94ec5ae62633ff9a41f419bd3b7 Closes-Bug: #1634265
2017-01-18 11:46:33 +07:00 · 2017-01-18 11:46:33 +07:00 · cf81bd39a6
parent ba0f3f6cc8
commit cf81bd39a6
5 changed files with 6 additions and 6 deletions
--- a/deployment/catalog-ci-jenkins/modules/catalog_ci/files/scripts/generate_names.py
+++ b/deployment/catalog-ci-jenkins/modules/catalog_ci/files/scripts/generate_names.py
@ -19,7 +19,7 @@ import yaml

 def yaml_to_dict(infile, k):
    stream = open(infile, 'r')
-    rdict = yaml.load(stream)[k]
+    rdict = yaml.safe_load(stream)[k]
    return rdict


--- a/openstack_catalog/tests/test_openstack_catalog.py
+++ b/openstack_catalog/tests/test_openstack_catalog.py
@ -39,7 +39,7 @@ class TestOpenstack_catalog(testtools.TestCase):
            return content_file.read()

    def _read_file(self, file_name):
-        return yaml.load(self._read_raw_file(file_name))
+        return yaml.safe_load(self._read_raw_file(file_name))

    def _verify_by_schema(self, file_name, schema):
        data = self._read_file(file_name)
--- a/tools/asset_history.sh
+++ b/tools/asset_history.sh
@ -3,7 +3,7 @@ asset_file="$1"
 awk '{line+=1}/^    -/{end=line-1; if(start > 0){print start "," end}; count+=1;start=line;}END{print start "," line}' "$asset_file" | while read line; do
    size=`echo $line | awk -F, '{print $2-$1+1}'`
    end=`echo $line | awk -F, '{print $2}'`
-    name=`head -n $end "$asset_file" | tail -n $size | python -c 'import yaml,sys; print yaml.load(sys.stdin)[0]["name"]'`
+    name=`head -n $end "$asset_file" | tail -n $size | python -c 'import yaml,sys; print yaml.safe_load(sys.stdin)[0]["name"]'`
    date=`git blame -w -L $line "$asset_file" | sed 's/^[^(]*(\([^)]*\)).*/\1/' | python -c 'import sys,dateutil.parser; print max([dateutil.parser.parse("%s %s%s"%(j[0], j[1], j[2])) for j in [i.split()[-4:] for i in sys.stdin.readlines()]])'`
    #Dump out the name of the asset, and the last modified date as a json doc to stdout to be reassembled outside the loop into one document
    (echo $name; echo $date) | python -c 'import sys,json; print json.dumps([i.strip() for i in sys.stdin.readlines()]),'
--- a/tools/check_app_catalog_yaml.py
+++ b/tools/check_app_catalog_yaml.py
@ -106,7 +106,7 @@ def main():
    yaml.add_representer(OrderedDict, project_representer,
                         Dumper=IndentedDumper)

-    data = yaml.load(open('openstack_catalog/web/static/assets.yaml'))
+    data = yaml.safe_load(open('openstack_catalog/web/static/assets.yaml'))

    assets = []
    for a in data['assets']:
--- a/tools/yaml2json.py
+++ b/tools/yaml2json.py
@ -36,9 +36,9 @@ def dict_merge(a, b):

 merge = {}
 for f in args.files:
-    merge = dict_merge(merge, yaml.load(open(f))['assets'])
+    merge = dict_merge(merge, yaml.safe_load(open(f))['assets'])

-y = yaml.load(sys.stdin)
+y = yaml.safe_load(sys.stdin)
 for a in y['assets']:
    s = a['service']
    if s['type'] == 'heat':