Using yaml.safe_load instead of yaml.load
It is not safe to call yaml.load with any data received from an untrusted source, we'd better use yaml.safe_load Reference: https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: Ic8bf73bf0f2e2c29eb48094367cf558483be1267
This commit is contained in:
parent
d6b4c25d20
commit
6e6a36944e
@ -19,7 +19,7 @@ import inspect
|
|||||||
import os
|
import os
|
||||||
|
|
||||||
from yaml import dump
|
from yaml import dump
|
||||||
from yaml import load
|
from yaml import safe_load
|
||||||
try:
|
try:
|
||||||
from yaml import CDumper as Dumper # noqa: F401
|
from yaml import CDumper as Dumper # noqa: F401
|
||||||
from yaml import CLoader as Loader # noqa: F401
|
from yaml import CLoader as Loader # noqa: F401
|
||||||
@ -42,7 +42,7 @@ class ActionModule(action.ActionBase):
|
|||||||
with open(source, 'r') as f:
|
with open(source, 'r') as f:
|
||||||
template_data = f.read()
|
template_data = f.read()
|
||||||
template_data = self._templar.template(template_data)
|
template_data = self._templar.template(template_data)
|
||||||
result = load(template_data)
|
result = safe_load(template_data)
|
||||||
return result or {}
|
return result or {}
|
||||||
|
|
||||||
def run(self, tmp=None, task_vars=None):
|
def run(self, tmp=None, task_vars=None):
|
||||||
|
Loading…
Reference in New Issue
Block a user