[libvirt] [jenkins-ci PATCH] lcitool: use yaml.safe_load instead of load

Daniel P. Berrangé posted 1 patch 2 weeks ago
Failed in applying to current master (apply log)
guests/lcitool | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

[libvirt] [jenkins-ci PATCH] lcitool: use yaml.safe_load instead of load

Posted by Daniel P. Berrangé 2 weeks ago
The yaml.load() method is historically unsafe as it allowed for
arbitrary code execution:

./lcitool:323: YAMLLoadWarning: calling yaml.load() without
 Loader=... is deprecated, as the default Loader is unsafe.
 Please read https://msg.pyyaml.org/load for full details.

The PyYAML >= 5.1 is now safe by default, but has none the less
deprecated the plain load() method to avoid risk for people
running their app on older versions. For our needs safe_load()
suffices and is compatible with RHEL-7

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 guests/lcitool | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/guests/lcitool b/guests/lcitool
index 1c18b5a..30b6430 100755
--- a/guests/lcitool
+++ b/guests/lcitool
@@ -257,7 +257,7 @@ class Inventory:
     @staticmethod
     def _add_facts_from_file(facts, yaml_path):
         with open(yaml_path, "r") as infile:
-            some_facts = yaml.load(infile)
+            some_facts = yaml.safe_load(infile)
             for fact in some_facts:
                 facts[fact] = some_facts[fact]
 
@@ -301,7 +301,7 @@ class Projects:
 
         try:
             with open(mappings_path, "r") as infile:
-                mappings = yaml.load(infile)
+                mappings = yaml.safe_load(infile)
                 self._mappings = mappings["mappings"]
         except Exception as ex:
             raise Exception("Can't load mappings: {}".format(ex))
@@ -320,7 +320,7 @@ class Projects:
 
             try:
                 with open(yaml_path, "r") as infile:
-                    packages = yaml.load(infile)
+                    packages = yaml.safe_load(infile)
                     self._packages[project] = packages["packages"]
             except Exception as ex:
                 raise Exception(
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [jenkins-ci PATCH] lcitool: use yaml.safe_load instead of load

Posted by Andrea Bolognani 2 weeks ago
On Fri, 2019-05-03 at 11:03 +0100, Daniel P. Berrangé wrote:
> The yaml.load() method is historically unsafe as it allowed for
> arbitrary code execution:
> 
> ./lcitool:323: YAMLLoadWarning: calling yaml.load() without
>  Loader=... is deprecated, as the default Loader is unsafe.
>  Please read https://msg.pyyaml.org/load for full details.
> 
> The PyYAML >= 5.1 is now safe by default, but has none the less
> deprecated the plain load() method to avoid risk for people
> running their app on older versions. For our needs safe_load()
> suffices and is compatible with RHEL-7
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  guests/lcitool | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

Reviewed-by: Andrea Bolognani <abologna@redhat.com>

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list