Use yaml.safe_load() instead of yaml.load()
yaml.load() provides the ability to construct an arbitrary python object
that may be dangerous. yaml.safe_load() limits this ability to simple
python objects like integers or lists.
ref: https://en.wikipedia.org/wiki/YAML#Security
Change-Id: I9c28c25f4265fb691d39e72e20ef9c99f5538bf5
diff --git a/functional/test_aws_stack.py b/functional/test_aws_stack.py
index 678ce7e..5fbe24f 100644
--- a/functional/test_aws_stack.py
+++ b/functional/test_aws_stack.py
@@ -115,7 +115,7 @@
def test_nested_stack_create_with_timeout(self):
url = self.publish_template(self.nested_template)
self.template = self.test_template.replace('the.yaml', url)
- timeout_template = yaml.load(self.template)
+ timeout_template = yaml.safe_load(self.template)
props = timeout_template['Resources']['the_nested']['Properties']
props['TimeoutInMinutes'] = '50'
@@ -142,7 +142,7 @@
}
},
"environment": {"parameters": {}},
- "template": yaml.load(self.template)
+ "template": yaml.safe_load(self.template)
}
stack_identifier = self.stack_adopt(adopt_data=json.dumps(adopt_data))
@@ -163,7 +163,7 @@
}
},
"environment": {"parameters": {}},
- "template": yaml.load(self.template)
+ "template": yaml.safe_load(self.template)
}
stack_identifier = self.stack_adopt(adopt_data=json.dumps(adopt_data),
@@ -180,7 +180,7 @@
stack = self.client.stacks.get(stack_identifier)
self.assertEqual('bar', self._stack_output(stack, 'output_foo'))
- new_template = yaml.load(self.template)
+ new_template = yaml.safe_load(self.template)
props = new_template['Resources']['the_nested']['Properties']
props['TemplateURL'] = self.publish_template(self.update_template,
cleanup=False)