openstack/kolla-ansible
Code Issues Proposed changes

Using yaml.safe_load instead of yaml.load

Browse Source 
It is not safe to call yaml.load with any data received from
an untrusted source, we'd better use yaml.safe_load

Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html

Change-Id: Ic8bf73bf0f2e2c29eb48094367cf558483be1267
This commit is contained in:
zhuzeyu 2017-02-08 12:02:46 +08:00
parent d6b4c25d20
commit 6e6a36944e
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/action_plugins/merge_yaml.py
View File

@ -19,7 +19,7 @@ import inspect
import os import os
from yaml import dump from yaml import dump
from yaml import load from yaml import safe_load
try: try:
from yaml import CDumper as Dumper # noqa: F401 from yaml import CDumper as Dumper # noqa: F401
from yaml import CLoader as Loader # noqa: F401 from yaml import CLoader as Loader # noqa: F401
@ -42,7 +42,7 @@ class ActionModule(action.ActionBase):
with open(source, 'r') as f: with open(source, 'r') as f:
template_data = f.read() template_data = f.read()
template_data = self._templar.template(template_data) template_data = self._templar.template(template_data)
result = load(template_data) result = safe_load(template_data)
return result or {} return result or {}
def run(self, tmp=None, task_vars=None): def run(self, tmp=None, task_vars=None):