Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Iaa2b7d9c880f3e20243bb2a9cbd8f9db29ecc267
2017-06-01 22:57:01 +07:00 · 2017-06-01 22:57:01 +07:00 · 15fd41725a
commit 15fd41725a
parent ad3406deb2
3 changed files with 4 additions and 4 deletions
--- a/ci-scripts/linters/lint-browbeat-config.py
+++ b/ci-scripts/linters/lint-browbeat-config.py
@ -16,7 +16,7 @@ import sys
 from pykwalify import core as pykwalify_core
 from pykwalify import errors as pykwalify_errors
 stream = open(sys.argv[1], 'r')
-schema = yaml.load(stream)
+schema = yaml.safe_load(stream)
 check = pykwalify_core.Core(sys.argv[2], schema_data=schema)
 try:
    check.validate(raise_exception=True)
--- a/lib/Shaker.py
+++ b/lib/Shaker.py
@ -244,7 +244,7 @@ class Shaker(WorkloadBase.WorkloadBase):

    def set_scenario(self, scenario, fname, default_time):
        stream = open(fname, 'r')
-        data = yaml.load(stream)
+        data = yaml.safe_load(stream)
        stream.close()
        default_density = 1
        default_compute = 1
--- a/lib/Tools.py
+++ b/lib/Tools.py
@ -71,7 +71,7 @@ class Tools(object):
            self.logger.error(
                "Configuration file {} passed is missing".format(path))
            exit(1)
-        config = yaml.load(stream)
+        config = yaml.safe_load(stream)
        stream.close()
        self.config = config
        if validate:
@ -82,7 +82,7 @@ class Tools(object):
        self.logger.info(
            "Validating the configuration file passed by the user")
        stream = open("lib/validate.yaml", 'r')
-        schema = yaml.load(stream)
+        schema = yaml.safe_load(stream)
        check = pykwalify_core.Core(
            source_data=self.config, schema_data=schema)
        try: