From d27cd0ea4e18566c71de2bcf43e94be6fd68a4c4 Mon Sep 17 00:00:00 2001 From: rajat29 Date: Wed, 26 Jul 2017 12:11:48 +0530 Subject: [PATCH] Replaces yaml.load() with yaml.safe_load() Yaml.load() return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load() limits this ability to simple Python objects like integers or lists. Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I021bd09d3bbc6d4b9c8965c59c7f4ec4895f8b8b --- vitrageclient/common/yaml_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vitrageclient/common/yaml_utils.py b/vitrageclient/common/yaml_utils.py index 6a0bd5d..55ae609 100644 --- a/vitrageclient/common/yaml_utils.py +++ b/vitrageclient/common/yaml_utils.py @@ -16,7 +16,7 @@ import yaml def load(stream): try: - yaml_dict = yaml.load(stream, Loader=yaml.BaseLoader) + yaml_dict = yaml.safe_load(stream, Loader=yaml.BaseLoader) except yaml.YAMLError as exc: msg = 'An error occurred during YAML parsing.' if hasattr(exc, 'problem_mark'):