From f328100bff10180e102ad34a90a50a19113c6714 Mon Sep 17 00:00:00 2001 From: Luong Anh Tuan Date: Mon, 16 Jan 2017 16:14:38 +0700 Subject: [PATCH] Replace yaml.load() with yaml.safe_load() Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I4aac907c2a7ecf9a3f85a1a07ca020df6eb0b756 Closes-Bug: #1634265 --- rally/plugins/openstack/verification/tempest/manager.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rally/plugins/openstack/verification/tempest/manager.py b/rally/plugins/openstack/verification/tempest/manager.py index 40d1e146..f56e4e27 100644 --- a/rally/plugins/openstack/verification/tempest/manager.py +++ b/rally/plugins/openstack/verification/tempest/manager.py @@ -121,7 +121,7 @@ class TempestManager(testr.TestrLauncher): "Cannot list installed Tempest plugins for verifier %s." % self.verifier) - return yaml.load(output) + return yaml.safe_load(output) def uninstall_extension(self, name): """Uninstall a Tempest plugin."""