Fix security bug: Deserialization of Untrusted Data

author David Garcia <david.garcia@canonical.com>

Tue, 31 May 2022 09:01:09 +0000 (11:01 +0200)

committer David Garcia <david.garcia@canonical.com>

Tue, 31 May 2022 09:01:09 +0000 (11:01 +0200)
author David Garcia <david.garcia@canonical.com>
Tue, 31 May 2022 09:01:09 +0000 (11:01 +0200)
committer David Garcia <david.garcia@canonical.com>
Tue, 31 May 2022 09:01:09 +0000 (11:01 +0200)
diff --git a/n2vc/k8s_helm_base_conn.py b/n2vc/k8s_helm_base_conn.py

index 952630a..d446b9b 100644 (file)
--- a/n2vc/k8s_helm_base_conn.py
+++ b/n2vc/k8s_helm_base_conn.py
@@ -1888,7 +1888,7 @@ class K8sHelmBaseConnector(K8sConnector):
              for key in params:
                  value = params.get(key)
                  if "!!yaml" in str(value):
-                    value = yaml.load(value[7:])
+                    value = yaml.safe_load(value[7:])
                  params2[key] = value
  
              values_file = get_random_number() + ".yaml"
author	David Garcia <david.garcia@canonical.com>
	Tue, 31 May 2022 09:01:09 +0000 (11:01 +0200)
committer	David Garcia <david.garcia@canonical.com>
	Tue, 31 May 2022 09:01:09 +0000 (11:01 +0200)