From nobody Thu Apr 25 18:07:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556877792; cv=none; d=zoho.com; s=zohoarc; b=c8783sFQuy7FZVYNzuQ3eTGlmnZPC9hrpB3Y40hNDwuT4uFxo1RixUscaMJT+FJ2KwjsggP0/xapDp1PH2s8KTnyj8qnPjXHXOzFE5nAP+kalkxPwtHpMjYlcqxVl/oK3bBZC0D3ZTP/eTFTSFL82J9D1TQKlmNaDEMq8hiTev0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556877792; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=bW7XT9Eesw76eieZQ2VOqM2IFsoDouLKu17xrtRbreE=; b=GP/CJPHEGfE7sAXoQCpjBpe1GX9ZD5jfxfnJNZoYDRYdYUuG7/p5BtFlqLgpeXQzvKuDylOLMxR3sU1unFUipXAPX8t3G89amgzL9kfyLndpNdvBX4LdYP4QcgyIks6sqOV1cYm9assmufF2pYcsn5P+Ddyy3RfTNKXdeS0KU/I= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1556877792085107.00840226308333; Fri, 3 May 2019 03:03:12 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 20F3AA96F1; Fri, 3 May 2019 10:03:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EA0591001DD9; Fri, 3 May 2019 10:03:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8A4C318089CB; Fri, 3 May 2019 10:03:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x43A38Mk015662 for ; Fri, 3 May 2019 06:03:08 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2A99C18EE5; Fri, 3 May 2019 10:03:08 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-52.ams2.redhat.com [10.36.112.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5840150F53; Fri, 3 May 2019 10:03:04 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 3 May 2019 11:03:02 +0100 Message-Id: <20190503100302.20277-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [jenkins-ci PATCH] lcitool: use yaml.safe_load instead of load X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 03 May 2019 10:03:10 +0000 (UTC) The yaml.load() method is historically unsafe as it allowed for arbitrary code execution: ./lcitool:323: YAMLLoadWarning: calling yaml.load() without Loader=3D... is deprecated, as the default Loader is unsafe. Please read https://msg.pyyaml.org/load for full details. The PyYAML >=3D 5.1 is now safe by default, but has none the less deprecated the plain load() method to avoid risk for people running their app on older versions. For our needs safe_load() suffices and is compatible with RHEL-7 Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Andrea Bolognani --- guests/lcitool | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/guests/lcitool b/guests/lcitool index 1c18b5a..30b6430 100755 --- a/guests/lcitool +++ b/guests/lcitool @@ -257,7 +257,7 @@ class Inventory: @staticmethod def _add_facts_from_file(facts, yaml_path): with open(yaml_path, "r") as infile: - some_facts =3D yaml.load(infile) + some_facts =3D yaml.safe_load(infile) for fact in some_facts: facts[fact] =3D some_facts[fact] =20 @@ -301,7 +301,7 @@ class Projects: =20 try: with open(mappings_path, "r") as infile: - mappings =3D yaml.load(infile) + mappings =3D yaml.safe_load(infile) self._mappings =3D mappings["mappings"] except Exception as ex: raise Exception("Can't load mappings: {}".format(ex)) @@ -320,7 +320,7 @@ class Projects: =20 try: with open(yaml_path, "r") as infile: - packages =3D yaml.load(infile) + packages =3D yaml.safe_load(infile) self._packages[project] =3D packages["packages"] except Exception as ex: raise Exception( --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list