Replaces yaml.load() with yaml.safe_load()
Yaml.load() return Python object may be dangerous if you
receive a YAML document from an untrusted source such as the
Internet. The function yaml.safe_load() limits this ability to
simple Python objects like integers or lists.
Reference:
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html
Change-Id: I85c5a4e17bc79c62d946a1dd0c9e85b527961926
Partial-Bug: #1634265
diff --git a/tempest/cmd/workspace.py b/tempest/cmd/workspace.py
index 3c58648..d2dc00d 100644
--- a/tempest/cmd/workspace.py
+++ b/tempest/cmd/workspace.py
@@ -151,7 +151,7 @@
if not os.path.isfile(self.path):
return
with open(self.path, 'r') as f:
- self.workspaces = yaml.load(f) or {}
+ self.workspaces = yaml.safe_load(f) or {}
class TempestWorkspace(command.Command):
diff --git a/tempest/common/preprov_creds.py b/tempest/common/preprov_creds.py
index 6a95588..a92d16a 100644
--- a/tempest/common/preprov_creds.py
+++ b/tempest/common/preprov_creds.py
@@ -33,7 +33,7 @@
def read_accounts_yaml(path):
try:
with open(path, 'r') as yaml_file:
- accounts = yaml.load(yaml_file)
+ accounts = yaml.safe_load(yaml_file)
except IOError:
raise lib_exc.InvalidConfiguration(
'The path for the test accounts file: %s '