From 3cf56881413adf39963401279a84a3cc3fce19b9 Mon Sep 17 00:00:00 2001 From: Luong Anh Tuan Date: Mon, 16 Jan 2017 15:20:45 +0700 Subject: [PATCH] Replace yaml.load() with yaml.safe_load() Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ifaecff145e91f72911ae05ea274a4977c56212c7 Closes-Bug: #1634265 --- translator/common/utils.py | 2 +- translator/hot/tosca/tosca_policies_scaling.py | 2 +- translator/shell.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/translator/common/utils.py b/translator/common/utils.py index 016a4eb3..874c8ec9 100644 --- a/translator/common/utils.py +++ b/translator/common/utils.py @@ -196,7 +196,7 @@ class YamlUtils(object): def get_dict(yaml_file): '''Returns the dictionary representation of the given YAML spec.''' try: - return yaml.load(open(yaml_file)) + return yaml.safe_load(open(yaml_file)) except IOError: return None diff --git a/translator/hot/tosca/tosca_policies_scaling.py b/translator/hot/tosca/tosca_policies_scaling.py index c1ba9b70..1b63f24c 100644 --- a/translator/hot/tosca/tosca_policies_scaling.py +++ b/translator/hot/tosca/tosca_policies_scaling.py @@ -68,7 +68,7 @@ class ToscaAutoscaling(HotResource): return yaml.nodes.MappingNode(u'tag:yaml.org,2002:map', nodes) def _handle_nested_template(self, scale_res): - template_dict = yaml.load(HEAT_TEMPLATE_BASE) + template_dict = yaml.safe_load(HEAT_TEMPLATE_BASE) template_dict['description'] = 'Tacker Scaling template' template_dict["resources"] = {} dict_res = OrderedDict() diff --git a/translator/shell.py b/translator/shell.py index b10da922..1d67c2a4 100644 --- a/translator/shell.py +++ b/translator/shell.py @@ -214,7 +214,7 @@ class TranslatorShell(object): msg = _('Deploy the generated template, the stack name is %(name)s.')\ % {'name': heat_stack_name} log.debug(msg) - tpl = yaml.load(translator.translate()) + tpl = yaml.safe_load(translator.translate()) # get all the values for get_file from a translated template get_files = []