From e470430814ceddadea66d2e4bb3a9b10b55869e6 Mon Sep 17 00:00:00 2001 From: Kirill Zaitsev Date: Fri, 27 May 2016 01:04:31 +0300 Subject: [PATCH] Use yaml.SafeLoader instead of yaml.Loader Before this patch yaml.Loader was used by the client to create custom yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is capable of creating custom python objects from specifically constructed yaml files. UI parsing functions also fell back to yaml.Loader if the custom loader was not supplied. After this patch all yaml load operations are performed with safe loaders instead. Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b Closes-Bug: #1586078 --- muranoclient/common/utils.py | 4 ++-- muranoclient/v1/artifact_packages.py | 2 +- muranoclient/v1/package_creator/hot_package.py | 2 +- muranoclient/v1/packages.py | 2 +- .../notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml | 9 +++++++++ 5 files changed, 14 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml diff --git a/muranoclient/common/utils.py b/muranoclient/common/utils.py index 63cc00cc..0b17c073 100644 --- a/muranoclient/common/utils.py +++ b/muranoclient/common/utils.py @@ -605,12 +605,12 @@ class Bundle(FileWrapperMixin): yield pkg_obj -class YaqlYamlLoader(yaml.Loader): +class YaqlYamlLoader(yaml.SafeLoader): pass # workaround for PyYAML bug: http://pyyaml.org/ticket/221 resolvers = {} -for k, v in yaml.Loader.yaml_implicit_resolvers.items(): +for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items(): resolvers[k] = v[:] YaqlYamlLoader.yaml_implicit_resolvers = resolvers diff --git a/muranoclient/v1/artifact_packages.py b/muranoclient/v1/artifact_packages.py index c60b5479..7b082ab2 100644 --- a/muranoclient/v1/artifact_packages.py +++ b/muranoclient/v1/artifact_packages.py @@ -190,7 +190,7 @@ class ArtifactRepo(object): ui_stream = "".join( self.client.artifacts.download_blob(app_id, 'ui_definition')) if loader_cls is None: - loader_cls = yaml.Loader + loader_cls = yaml.SafeLoader return yaml.load(ui_stream, loader_cls) def get_logo(self, app_id): diff --git a/muranoclient/v1/package_creator/hot_package.py b/muranoclient/v1/package_creator/hot_package.py index 45e8350c..b375617f 100644 --- a/muranoclient/v1/package_creator/hot_package.py +++ b/muranoclient/v1/package_creator/hot_package.py @@ -43,7 +43,7 @@ def generate_manifest(args): args.full_name = '{0}.{1}'.format(prefix, normalized_name) try: with open(args.template, 'rb') as heat_file: - yaml_content = yaml.load(heat_file) + yaml_content = yaml.safe_load(heat_file) if not args.description: args.description = yaml_content.get( 'description', diff --git a/muranoclient/v1/packages.py b/muranoclient/v1/packages.py index 2581794d..ce052aa5 100644 --- a/muranoclient/v1/packages.py +++ b/muranoclient/v1/packages.py @@ -147,7 +147,7 @@ class PackageManager(base.Manager): def get_ui(self, app_id, loader_cls=None): if loader_cls is None: - loader_cls = yaml.Loader + loader_cls = yaml.SafeLoader url = '/v1/catalog/packages/{0}/ui'.format(app_id) response = self.api.raw_request('GET', url) diff --git a/releasenotes/notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml b/releasenotes/notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml new file mode 100644 index 00000000..f022c5c7 --- /dev/null +++ b/releasenotes/notes/safeloader-cve-2016-4972-0e3b733af0d2f49d.yaml @@ -0,0 +1,9 @@ +--- +security: + - cve-2016-4972 has been addressed. In ceveral places + Murano used loaders inherited directly from yaml.Loader + when parsing MuranoPL and UI files from packages. + This is unsafe, because this loader is capable of creating + custom python objects from specifically constructed + yaml files. With this change all yaml loading operations are done + using safe loaders instead.