From c4a7ac0b653543e8a3ba10060cabdb114fb6672b Mon Sep 17 00:00:00 2001
From: Cyril Roelandt <cyril@redhat.com>
Date: Wed, 21 Oct 2015 17:08:12 +0200
Subject: [PATCH] Use yaml.safe_load instead of yaml.load
We currently use yaml.load to read a user-written config file. This can
lead to malicious code execution, so we should use yaml.safe_load
instead.
Found using bandit.
Change-Id: I27792f0435bc3cb9b9d31846d07a8d47a1e7679d
---
oslo_messaging/notify/_impl_routing.py | 2 +-
oslo_messaging/tests/notify/test_notifier.py | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/oslo_messaging/notify/_impl_routing.py b/oslo_messaging/notify/_impl_routing.py
index bf07e673e..6c5fd18d2 100644
--- a/oslo_messaging/notify/_impl_routing.py
+++ b/oslo_messaging/notify/_impl_routing.py
@@ -61,7 +61,7 @@ class RoutingDriver(notifier.Driver):
return
# Infer which drivers are used from the config file.
- self.routing_groups = yaml.load(
+ self.routing_groups = yaml.safe_load(
self._get_notifier_config_file(filename))
if not self.routing_groups:
self.routing_groups = {} # In case we got None from load()
diff --git a/oslo_messaging/tests/notify/test_notifier.py b/oslo_messaging/tests/notify/test_notifier.py
index 557b9bb25..e55913d51 100644
--- a/oslo_messaging/tests/notify/test_notifier.py
+++ b/oslo_messaging/tests/notify/test_notifier.py
@@ -412,7 +412,7 @@ group_1:
- blah.zoo.*
- zip
"""
- groups = yaml.load(config)
+ groups = yaml.safe_load(config)
group = groups['group_1']
# No matching event ...
@@ -443,7 +443,7 @@ group_1:
- info
- error
"""
- groups = yaml.load(config)
+ groups = yaml.safe_load(config)
group = groups['group_1']
# No matching priority
@@ -476,7 +476,7 @@ group_1:
accepted_events:
- foo.*
"""
- groups = yaml.load(config)
+ groups = yaml.safe_load(config)
group = groups['group_1']
# Valid event, but no matching priority