Utilize yaml.safe_load

The patch changes instances of yaml.load with yaml.safe_load
which is more secure at blocking arbitrary code execution.

The following blog has a decent explaination:

https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html

Change-Id: I8201baab6cb31ab31228eca83134f87a57c2f5d2
Signed-off-by: lhinds <lhinds@redhat.com>

diff --git a/build/parser.py b/build/parser.py
index 602d7c2..63eb494 100644 (file)
--- a/build/parser.py
+++ b/build/parser.py
@@ -80,7 +80,7 @@ def usage():
 
 def build_parser(build_file_name):
     cache = load_env()
-    cfg = yaml.load(file(build_file_name, 'r'))
+    cfg = yaml.safe_load(file(build_file_name, 'r'))
 
     print "Starting building...."
     for pkg in cfg.get("packages"):

diff --git a/deploy/bonding.py b/deploy/bonding.py
index 27e76da..17b5b20 100644 (file)
--- a/deploy/bonding.py
+++ b/deploy/bonding.py
@@ -34,7 +34,7 @@ def create_bonding(network_info, rsa_file, compass_ip):
 if __name__ == "__main__":
     assert(len(sys.argv) == 4)
     create_bonding(
-        yaml.load(
+        yaml.safe_load(
             open(
                 sys.argv[1])),
         sys.argv[2],

diff --git a/deploy/client.py b/deploy/client.py
index 810ac11..6d5daa3 100644 (file)
--- a/deploy/client.py
+++ b/deploy/client.py
@@ -740,11 +740,11 @@ class CompassClient(object):
         package_config['network_mapping'] = network_mapping
 
         assert(os.path.exists(CONF.network_cfg))
-        network_cfg = yaml.load(open(CONF.network_cfg))
+        network_cfg = yaml.safe_load(open(CONF.network_cfg))
         package_config["network_cfg"] = network_cfg
 
         assert(os.path.exists(CONF.neutron_cfg))
-        neutron_cfg = yaml.load(open(CONF.neutron_cfg))
+        neutron_cfg = yaml.safe_load(open(CONF.neutron_cfg))
         package_config["neutron_config"] = neutron_cfg
 
         """

diff --git a/deploy/config_parse.py b/deploy/config_parse.py
index 363516b..8a1ac54 100644 (file)
--- a/deploy/config_parse.py
+++ b/deploy/config_parse.py
@@ -15,7 +15,7 @@ from Cheetah.Template import Template
 
 def init(file):
     with open(file) as fd:
-        return yaml.load(fd)
+        return yaml.safe_load(fd)
 
 
 def decorator(func):

diff --git a/deploy/opera_adapter.py b/deploy/opera_adapter.py
index 137aba5..fbf1b66 100644 (file)
--- a/deploy/opera_adapter.py
+++ b/deploy/opera_adapter.py
@@ -18,7 +18,7 @@ import traceback
 def load_file(file):
     with open(file) as fd:
         try:
-            return yaml.load(fd)
+            return yaml.safe_load(fd)
         except:
             traceback.print_exc()
             return None

diff --git a/deploy/rename_nics.py b/deploy/rename_nics.py
index 2672c99..f78b397 100644 (file)
--- a/deploy/rename_nics.py
+++ b/deploy/rename_nics.py
@@ -36,7 +36,7 @@ def rename_nics(dha_info, rsa_file, compass_ip, os_version):
 if __name__ == "__main__":
     assert(len(sys.argv) == 5)
     rename_nics(
-        yaml.load(
+        yaml.safe_load(
             open(
                 sys.argv[1])),
         sys.argv[2],

diff --git a/deploy/reset_compute.py b/deploy/reset_compute.py
index 86afc4f..2e5103b 100644 (file)
--- a/deploy/reset_compute.py
+++ b/deploy/reset_compute.py
@@ -20,7 +20,7 @@ def exec_cmd(cmd):
 def reset_baremetal(dha_info):
     print "reset_baremetal"
 
-    hosts_info = yaml.load(open(dha_info))
+    hosts_info = yaml.safe_load(open(dha_info))
     # print hosts_info
 
     ipmiUserDf = hosts_info.get('ipmiUser', 'root')
@@ -48,7 +48,7 @@ def reset_baremetal(dha_info):
 def reset_virtual(dha_info):
     print "reset_virtual"
 
-    hosts_info = yaml.load(open(dha_info))
+    hosts_info = yaml.safe_load(open(dha_info))
     print hosts_info
 
     hosts_list = hosts_info.get('hosts', [])

diff --git a/deploy/setup_vnic.py b/deploy/setup_vnic.py
index 7dcd8d9..de3b5ed 100644 (file)
--- a/deploy/setup_vnic.py
+++ b/deploy/setup_vnic.py
@@ -13,7 +13,7 @@ import yaml
 
 if __name__ == "__main__":
     network_config_file = os.environ["NETWORK"]
-    network_config = yaml.load(open(network_config_file, "r"))
+    network_config = yaml.safe_load(open(network_config_file, "r"))
     os.system(
         "sudo ovs-vsctl --may-exist add-port br-external mgmt_vnic -- set Interface mgmt_vnic type=internal")   # noqa
     os.system("sudo ip addr flush mgmt_vnic")

diff --git a/repo/gen_ins_pkg_script.py b/repo/gen_ins_pkg_script.py
index 38d08c2..9af3414 100644 (file)
--- a/repo/gen_ins_pkg_script.py
+++ b/repo/gen_ins_pkg_script.py
@@ -32,7 +32,7 @@ def get_packages_name_list(file_list, special_packages):
     package_name_list = []
 
     for file in file_list:
-        datas = yaml.load(open(file))
+        datas = yaml.safe_load(open(file))
         if not datas:
             continue
 

diff --git a/util/check_valid.py b/util/check_valid.py
index e3ad6bc..e6a72e7 100644 (file)
--- a/util/check_valid.py
+++ b/util/check_valid.py
@@ -17,7 +17,7 @@ import traceback
 def load_file(file):
     with open(file) as fd:
         try:
-            return yaml.load(fd)
+            return yaml.safe_load(fd)
         except:
             traceback.print_exc()
             return None