openstack/ansible-hardening
Code Issues Proposed changes

Replaces yaml.load() with yaml.safe_load()

Browse Source 
Yaml.load() return Python object may be dangerous if
you receive a YAML document from an untrusted source
such as the Internet. The function yaml.safe_load()
limits this ability to simple Python objects like
integers or lists.

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: I3fea784cb77c699b3262373cb0b7510f841795ac
This commit is contained in:
gecong1973 2017-02-04 12:16:18 +08:00
parent 1ff2d1b4aa
commit 600e5abcfe
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/_exts/metadata-docs-rhel7.py
View File

@ -143,7 +143,7 @@ def get_deployer_notes(stig_id):
_, metadata, text = yaml_boundary.split(rst_file, 2)
# Assemble the metadata and the text from the deployer note.
post = yaml.load(metadata)
post = yaml.safe_load(metadata)
post['content'] = text
return post

2
doc/source/_exts/metadata-docs.py
View File

@ -99,7 +99,7 @@ def get_deployer_notes(stig_id):
_, metadata, text = yaml_boundary.split(rst_file, 2)
# Assemble the metadata and the text from the deployer note.
post = yaml.load(metadata)
post = yaml.safe_load(metadata)
post['content'] = text
return post