Fixing LCM vulnerabilities
Change-Id: I0b0c5975ce6f3088df19e8facb28f946658378a5
Signed-off-by: Luis <lvega@whitestack.com>
diff --git a/osm_lcm/ROclient.py b/osm_lcm/ROclient.py
index 32dd1bf..e3cb7f7 100644
--- a/osm_lcm/ROclient.py
+++ b/osm_lcm/ROclient.py
@@ -190,7 +190,7 @@
)
if descriptor_format != "json":
try:
- return yaml.load(descriptor)
+ return yaml.safe_load(descriptor)
except yaml.YAMLError as exc:
error_pos = ""
if hasattr(exc, "problem_mark"):
@@ -214,7 +214,7 @@
def _parse_error_yaml(descriptor):
json_error = None
try:
- json_error = yaml.load(descriptor, Loader=yaml.Loader)
+ json_error = yaml.safe_load(descriptor)
return json_error["error"]["description"]
except Exception:
return str(json_error or descriptor)
@@ -222,7 +222,7 @@
@staticmethod
def _parse_yaml(descriptor, response=False):
try:
- return yaml.load(descriptor, Loader=yaml.Loader)
+ return yaml.safe_load(descriptor)
except yaml.YAMLError as exc:
error_pos = ""
if hasattr(exc, "problem_mark"):
diff --git a/osm_lcm/lcm.py b/osm_lcm/lcm.py
index 5f630b2..8932d89 100644
--- a/osm_lcm/lcm.py
+++ b/osm_lcm/lcm.py
@@ -759,7 +759,7 @@
try:
# read file as yaml format
with open(config_file) as f:
- conf = yaml.load(f, Loader=yaml.Loader)
+ conf = yaml.safe_load(f)
# Ensure all sections are not empty
for k in (
"global",
diff --git a/osm_lcm/ns.py b/osm_lcm/ns.py
index 2b0f56e..4640348 100644
--- a/osm_lcm/ns.py
+++ b/osm_lcm/ns.py
@@ -414,7 +414,7 @@
@staticmethod
def _parse_cloud_init(cloud_init_text, additional_params, vnfd_id, vdu_id):
try:
- env = Environment(undefined=StrictUndefined)
+ env = Environment(undefined=StrictUndefined, autoescape=True)
template = env.from_string(cloud_init_text)
return template.render(additional_params or {})
except UndefinedError as e: