From b9d5a7af4d3378aa0094d51eca73201bb345711e Mon Sep 17 00:00:00 2001 From: Naga Ravi Chaitanya Elluri Date: Tue, 8 Nov 2022 13:01:37 -0500 Subject: [PATCH] Use safe loader for Yaml This fixes the security vulnerabilities for example - it raises an exception when opening a yaml file with code. Fixes https://github.com/redhat-chaos/krkn/issues/352 --- kraken/node_actions/az_node_scenarios.py | 2 +- scenarios/openshift/post_action_shut_down.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kraken/node_actions/az_node_scenarios.py b/kraken/node_actions/az_node_scenarios.py index 23067eed..fa6b945c 100644 --- a/kraken/node_actions/az_node_scenarios.py +++ b/kraken/node_actions/az_node_scenarios.py @@ -17,7 +17,7 @@ class Azure: credentials = DefaultAzureCredential() logging.info("credential " + str(credentials)) az_account = runcommand.invoke("az account list -o yaml") - az_account_yaml = yaml.load(az_account, Loader=yaml.FullLoader) + az_account_yaml = yaml.safe_load(az_account, Loader=yaml.FullLoader) subscription_id = az_account_yaml[0]["id"] self.compute_client = ComputeManagementClient(credentials, subscription_id) diff --git a/scenarios/openshift/post_action_shut_down.py b/scenarios/openshift/post_action_shut_down.py index a652ecd5..a8ec7e78 100644 --- a/scenarios/openshift/post_action_shut_down.py +++ b/scenarios/openshift/post_action_shut_down.py @@ -20,7 +20,7 @@ def run(cmd): # Get cluster operators and return yaml def get_cluster_operators(): operators_status = run("kubectl get co -o yaml") - status_yaml = yaml.load(operators_status, Loader=yaml.FullLoader) + status_yaml = yaml.safe_load(operators_status, Loader=yaml.FullLoader) return status_yaml