Replace yaml.load() with yaml.safe_load()
Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I84640973fd9f45a69d2b21f6d594cd5bf10660a6 Closes-Bug: #1634265
This commit is contained in:
parent
50941b13bc
commit
ff8ae43265
4 changed files with 4 additions and 4 deletions
|
@ -233,7 +233,7 @@ for i in $(find elements -type f -name '*.yaml'); do
|
|||
import yaml
|
||||
import sys
|
||||
try:
|
||||
objs = yaml.load(open('$i'))
|
||||
objs = yaml.safe_load(open('$i'))
|
||||
except yaml.parser.ParserError:
|
||||
sys.exit(1)
|
||||
"
|
||||
|
|
|
@ -59,7 +59,7 @@ def collect_data(data, filename, element_name):
|
|||
try:
|
||||
objs = json.load(open(filename))
|
||||
except ValueError:
|
||||
objs = yaml.load(open(filename))
|
||||
objs = yaml.safe_load(open(filename))
|
||||
for pkg_name, params in objs.items():
|
||||
if not params:
|
||||
params = {}
|
||||
|
|
|
@ -24,7 +24,7 @@ def load_service_mapping(filepath="/usr/share/svc-map/services"):
|
|||
if not os.path.isfile(filepath):
|
||||
return {}
|
||||
with open(filepath, 'r') as data_file:
|
||||
return yaml.load(data_file.read())
|
||||
return yaml.safe_load(data_file.read())
|
||||
|
||||
|
||||
def main():
|
||||
|
|
|
@ -70,7 +70,7 @@ def main():
|
|||
data_path = os.path.join(element_path, element, "svc-map")
|
||||
if os.path.exists(data_path):
|
||||
with open(data_path, 'r') as dataFile:
|
||||
data = yaml.load(dataFile.read())
|
||||
data = yaml.safe_load(dataFile.read())
|
||||
try:
|
||||
service_names = merge_data(
|
||||
data,
|
||||
|
|
Loading…
Reference in a new issue