From 1833897d18fe0930984215372e1343cff1531b61 Mon Sep 17 00:00:00 2001
From: lhinds <lhinds@redhat.com>
Date: Sat, 8 Jul 2017 16:51:27 +0100
Subject: Utilize yaml.safe_load

The patch changes instances of yaml.load with yaml.safe_load
which is more secure at blocking arbitrary code execution.

The following blog has a decent explaination:

https://www.kevinlondon.com/2015/08/15/dangerous-python-functions-pt2.html

Change-Id: I8201baab6cb31ab31228eca83134f87a57c2f5d2
Signed-off-by: lhinds <lhinds@redhat.com>
---
 build/parser.py            | 2 +-
 deploy/bonding.py          | 2 +-
 deploy/client.py           | 4 ++--
 deploy/config_parse.py     | 2 +-
 deploy/opera_adapter.py    | 2 +-
 deploy/rename_nics.py      | 2 +-
 deploy/reset_compute.py    | 4 ++--
 deploy/setup_vnic.py       | 2 +-
 repo/gen_ins_pkg_script.py | 2 +-
 util/check_valid.py        | 2 +-
 10 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/build/parser.py b/build/parser.py
index 602d7c21..63eb494f 100644
--- a/build/parser.py
+++ b/build/parser.py
@@ -80,7 +80,7 @@ def usage():
 
 def build_parser(build_file_name):
     cache = load_env()
-    cfg = yaml.load(file(build_file_name, 'r'))
+    cfg = yaml.safe_load(file(build_file_name, 'r'))
 
     print "Starting building...."
     for pkg in cfg.get("packages"):
diff --git a/deploy/bonding.py b/deploy/bonding.py
index 27e76daa..17b5b205 100644
--- a/deploy/bonding.py
+++ b/deploy/bonding.py
@@ -34,7 +34,7 @@ def create_bonding(network_info, rsa_file, compass_ip):
 if __name__ == "__main__":
     assert(len(sys.argv) == 4)
     create_bonding(
-        yaml.load(
+        yaml.safe_load(
             open(
                 sys.argv[1])),
         sys.argv[2],
diff --git a/deploy/client.py b/deploy/client.py
index 810ac118..6d5daa38 100644
--- a/deploy/client.py
+++ b/deploy/client.py
@@ -740,11 +740,11 @@ class CompassClient(object):
         package_config['network_mapping'] = network_mapping
 
         assert(os.path.exists(CONF.network_cfg))
-        network_cfg = yaml.load(open(CONF.network_cfg))
+        network_cfg = yaml.safe_load(open(CONF.network_cfg))
         package_config["network_cfg"] = network_cfg
 
         assert(os.path.exists(CONF.neutron_cfg))
-        neutron_cfg = yaml.load(open(CONF.neutron_cfg))
+        neutron_cfg = yaml.safe_load(open(CONF.neutron_cfg))
         package_config["neutron_config"] = neutron_cfg
 
         """
diff --git a/deploy/config_parse.py b/deploy/config_parse.py
index 363516b4..8a1ac54b 100644
--- a/deploy/config_parse.py
+++ b/deploy/config_parse.py
@@ -15,7 +15,7 @@ from Cheetah.Template import Template
 
 def init(file):
     with open(file) as fd:
-        return yaml.load(fd)
+        return yaml.safe_load(fd)
 
 
 def decorator(func):
diff --git a/deploy/opera_adapter.py b/deploy/opera_adapter.py
index 137aba54..fbf1b662 100644
--- a/deploy/opera_adapter.py
+++ b/deploy/opera_adapter.py
@@ -18,7 +18,7 @@ import traceback
 def load_file(file):
     with open(file) as fd:
         try:
-            return yaml.load(fd)
+            return yaml.safe_load(fd)
         except:
             traceback.print_exc()
             return None
diff --git a/deploy/rename_nics.py b/deploy/rename_nics.py
index 2672c990..f78b3979 100644
--- a/deploy/rename_nics.py
+++ b/deploy/rename_nics.py
@@ -36,7 +36,7 @@ def rename_nics(dha_info, rsa_file, compass_ip, os_version):
 if __name__ == "__main__":
     assert(len(sys.argv) == 5)
     rename_nics(
-        yaml.load(
+        yaml.safe_load(
             open(
                 sys.argv[1])),
         sys.argv[2],
diff --git a/deploy/reset_compute.py b/deploy/reset_compute.py
index 86afc4f1..2e5103ba 100644
--- a/deploy/reset_compute.py
+++ b/deploy/reset_compute.py
@@ -20,7 +20,7 @@ def exec_cmd(cmd):
 def reset_baremetal(dha_info):
     print "reset_baremetal"
 
-    hosts_info = yaml.load(open(dha_info))
+    hosts_info = yaml.safe_load(open(dha_info))
     # print hosts_info
 
     ipmiUserDf = hosts_info.get('ipmiUser', 'root')
@@ -48,7 +48,7 @@ def reset_baremetal(dha_info):
 def reset_virtual(dha_info):
     print "reset_virtual"
 
-    hosts_info = yaml.load(open(dha_info))
+    hosts_info = yaml.safe_load(open(dha_info))
     print hosts_info
 
     hosts_list = hosts_info.get('hosts', [])
diff --git a/deploy/setup_vnic.py b/deploy/setup_vnic.py
index 7dcd8d94..de3b5ed6 100644
--- a/deploy/setup_vnic.py
+++ b/deploy/setup_vnic.py
@@ -13,7 +13,7 @@ import yaml
 
 if __name__ == "__main__":
     network_config_file = os.environ["NETWORK"]
-    network_config = yaml.load(open(network_config_file, "r"))
+    network_config = yaml.safe_load(open(network_config_file, "r"))
     os.system(
         "sudo ovs-vsctl --may-exist add-port br-external mgmt_vnic -- set Interface mgmt_vnic type=internal")   # noqa
     os.system("sudo ip addr flush mgmt_vnic")
diff --git a/repo/gen_ins_pkg_script.py b/repo/gen_ins_pkg_script.py
index 38d08c23..9af34143 100644
--- a/repo/gen_ins_pkg_script.py
+++ b/repo/gen_ins_pkg_script.py
@@ -32,7 +32,7 @@ def get_packages_name_list(file_list, special_packages):
     package_name_list = []
 
     for file in file_list:
-        datas = yaml.load(open(file))
+        datas = yaml.safe_load(open(file))
         if not datas:
             continue
 
diff --git a/util/check_valid.py b/util/check_valid.py
index e3ad6bcd..e6a72e71 100644
--- a/util/check_valid.py
+++ b/util/check_valid.py
@@ -17,7 +17,7 @@ import traceback
 def load_file(file):
     with open(file) as fd:
         try:
-            return yaml.load(fd)
+            return yaml.safe_load(fd)
         except:
             traceback.print_exc()
             return None
-- 
cgit 1.2.3-korg