From 15fd41725a6fe7d067b14e318eb6b40309c4257e Mon Sep 17 00:00:00 2001 From: Van Hung Pham Date: Thu, 1 Jun 2017 22:57:01 +0700 Subject: [PATCH] Replace yaml.load() with yaml.safe_load() Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1]https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Iaa2b7d9c880f3e20243bb2a9cbd8f9db29ecc267 --- ci-scripts/linters/lint-browbeat-config.py | 2 +- lib/Shaker.py | 2 +- lib/Tools.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ci-scripts/linters/lint-browbeat-config.py b/ci-scripts/linters/lint-browbeat-config.py index 95138bdbb..ed08fbc2f 100644 --- a/ci-scripts/linters/lint-browbeat-config.py +++ b/ci-scripts/linters/lint-browbeat-config.py @@ -16,7 +16,7 @@ import sys from pykwalify import core as pykwalify_core from pykwalify import errors as pykwalify_errors stream = open(sys.argv[1], 'r') -schema = yaml.load(stream) +schema = yaml.safe_load(stream) check = pykwalify_core.Core(sys.argv[2], schema_data=schema) try: check.validate(raise_exception=True) diff --git a/lib/Shaker.py b/lib/Shaker.py index 174dbf8a4..54fbc6b48 100644 --- a/lib/Shaker.py +++ b/lib/Shaker.py @@ -244,7 +244,7 @@ class Shaker(WorkloadBase.WorkloadBase): def set_scenario(self, scenario, fname, default_time): stream = open(fname, 'r') - data = yaml.load(stream) + data = yaml.safe_load(stream) stream.close() default_density = 1 default_compute = 1 diff --git a/lib/Tools.py b/lib/Tools.py index 92e484edf..6c73627ae 100644 --- a/lib/Tools.py +++ b/lib/Tools.py @@ -71,7 +71,7 @@ class Tools(object): self.logger.error( "Configuration file {} passed is missing".format(path)) exit(1) - config = yaml.load(stream) + config = yaml.safe_load(stream) stream.close() self.config = config if validate: @@ -82,7 +82,7 @@ class Tools(object): self.logger.info( "Validating the configuration file passed by the user") stream = open("lib/validate.yaml", 'r') - schema = yaml.load(stream) + schema = yaml.safe_load(stream) check = pykwalify_core.Core( source_data=self.config, schema_data=schema) try: