From ff8ae432653baaf3ee343669d2617e9968acb19f Mon Sep 17 00:00:00 2001 From: Luong Anh Tuan Date: Mon, 16 Jan 2017 15:01:51 +0700 Subject: [PATCH] Replace yaml.load() with yaml.safe_load() Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I84640973fd9f45a69d2b21f6d594cd5bf10660a6 Closes-Bug: #1634265 --- bin/dib-lint | 2 +- elements/package-installs/bin/package-installs-squash | 2 +- elements/svc-map/bin/svc-map | 2 +- elements/svc-map/extra-data.d/10-merge-svc-map-files | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/dib-lint b/bin/dib-lint index c07ab99b..8d46a6de 100755 --- a/bin/dib-lint +++ b/bin/dib-lint @@ -233,7 +233,7 @@ for i in $(find elements -type f -name '*.yaml'); do import yaml import sys try: - objs = yaml.load(open('$i')) + objs = yaml.safe_load(open('$i')) except yaml.parser.ParserError: sys.exit(1) " diff --git a/elements/package-installs/bin/package-installs-squash b/elements/package-installs/bin/package-installs-squash index eafdd9f4..949a8ae8 100755 --- a/elements/package-installs/bin/package-installs-squash +++ b/elements/package-installs/bin/package-installs-squash @@ -59,7 +59,7 @@ def collect_data(data, filename, element_name): try: objs = json.load(open(filename)) except ValueError: - objs = yaml.load(open(filename)) + objs = yaml.safe_load(open(filename)) for pkg_name, params in objs.items(): if not params: params = {} diff --git a/elements/svc-map/bin/svc-map b/elements/svc-map/bin/svc-map index 034c1fca..2df6ba91 100755 --- a/elements/svc-map/bin/svc-map +++ b/elements/svc-map/bin/svc-map @@ -24,7 +24,7 @@ def load_service_mapping(filepath="/usr/share/svc-map/services"): if not os.path.isfile(filepath): return {} with open(filepath, 'r') as data_file: - return yaml.load(data_file.read()) + return yaml.safe_load(data_file.read()) def main(): diff --git a/elements/svc-map/extra-data.d/10-merge-svc-map-files b/elements/svc-map/extra-data.d/10-merge-svc-map-files index c8b0e034..35697685 100755 --- a/elements/svc-map/extra-data.d/10-merge-svc-map-files +++ b/elements/svc-map/extra-data.d/10-merge-svc-map-files @@ -70,7 +70,7 @@ def main(): data_path = os.path.join(element_path, element, "svc-map") if os.path.exists(data_path): with open(data_path, 'r') as dataFile: - data = yaml.load(dataFile.read()) + data = yaml.safe_load(dataFile.read()) try: service_names = merge_data( data,