Use safe loader for Yaml

This fixes the security vulnerabilities for example - it raises an exception when opening a yaml file with code. Fixes https://github.com/redhat-chaos/krkn/issues/352
2026-04-15 06:57:28 +00:00 · 2022-11-08 13:01:37 -05:00
parent 1c4a51cbfa
commit b9d5a7af4d
2 changed files with 2 additions and 2 deletions
--- a/kraken/node_actions/az_node_scenarios.py
+++ b/kraken/node_actions/az_node_scenarios.py
@@ -17,7 +17,7 @@ class Azure:
        credentials = DefaultAzureCredential()
        logging.info("credential " + str(credentials))
        az_account = runcommand.invoke("az account list -o yaml")
-        az_account_yaml = yaml.load(az_account, Loader=yaml.FullLoader)
+        az_account_yaml = yaml.safe_load(az_account, Loader=yaml.FullLoader)
        subscription_id = az_account_yaml[0]["id"]
        self.compute_client = ComputeManagementClient(credentials, subscription_id)

--- a/scenarios/openshift/post_action_shut_down.py
+++ b/scenarios/openshift/post_action_shut_down.py
@@ -20,7 +20,7 @@ def run(cmd):
 # Get cluster operators and return yaml
 def get_cluster_operators():
    operators_status = run("kubectl get co -o yaml")
-    status_yaml = yaml.load(operators_status, Loader=yaml.FullLoader)
+    status_yaml = yaml.safe_load(operators_status, Loader=yaml.FullLoader)
    return status_yaml