Replace yaml.load() with yaml.safe_load()

Avoid dangerous file parsing and object serialization libraries. yaml.load is the obvious function to use but it is dangerous[1] Because yaml.load return Python object may be dangerous if you receive a YAML document from an untrusted source such as the Internet. The function yaml.safe_load limits this ability to simple Python objects like integers or lists. In addition, Bandit flags yaml.load() as security risk so replace all occurrences with yaml.safe_load(). Thus I replace yaml.load() with yaml.safe_load() [1] https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html Change-Id: I4b554fa20c2391a0f7a11fd5d6f5f944f0de2d03 (cherry picked from commit ebe583f558a347800e55d7f4832fc2bc497bee60)
2017-01-18 14:04:11 +07:00 · 2017-01-18 14:04:11 +07:00 · abecc76477
commit abecc76477
parent 47290dfd04
1 changed files with 1 additions and 1 deletions
--- a/timmy/tools.py
+++ b/timmy/tools.py
@ -255,7 +255,7 @@ def load_yaml_file(filename):
    """
    try:
        with open(filename, 'r') as f:
-            return yaml.load(f)
+            return yaml.safe_load(f)
    except IOError as e:
        logger.critical("I/O error(%s): file: %s; msg: %s" %
                        (e.errno, e.filename, e.strerror))