Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries.
yaml.load is the obvious function to use but it is dangerous[1]
Because yaml.load return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load limits this ability to
simple Python objects like integers or lists.

In addition, Bandit flags yaml.load() as security risk so replace
all occurrences with yaml.safe_load(). Thus I replace yaml.load()
with yaml.safe_load()

[1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I84640973fd9f45a69d2b21f6d594cd5bf10660a6
Closes-Bug: #1634265
This commit is contained in:
Luong Anh Tuan 2017-01-16 15:01:51 +07:00
parent 50941b13bc
commit ff8ae43265
4 changed files with 4 additions and 4 deletions

View file

@ -233,7 +233,7 @@ for i in $(find elements -type f -name '*.yaml'); do
import yaml
import sys
try:
objs = yaml.load(open('$i'))
objs = yaml.safe_load(open('$i'))
except yaml.parser.ParserError:
sys.exit(1)
"

View file

@ -59,7 +59,7 @@ def collect_data(data, filename, element_name):
try:
objs = json.load(open(filename))
except ValueError:
objs = yaml.load(open(filename))
objs = yaml.safe_load(open(filename))
for pkg_name, params in objs.items():
if not params:
params = {}

View file

@ -24,7 +24,7 @@ def load_service_mapping(filepath="/usr/share/svc-map/services"):
if not os.path.isfile(filepath):
return {}
with open(filepath, 'r') as data_file:
return yaml.load(data_file.read())
return yaml.safe_load(data_file.read())
def main():

View file

@ -70,7 +70,7 @@ def main():
data_path = os.path.join(element_path, element, "svc-map")
if os.path.exists(data_path):
with open(data_path, 'r') as dataFile:
data = yaml.load(dataFile.read())
data = yaml.safe_load(dataFile.read())
try:
service_names = merge_data(
data,