From: David Garcia <david.garcia@canonical.com>
Date: Tue, 31 May 2022 09:01:09 +0000 (+0200)
Subject: Fix security bug: Deserialization of Untrusted Data
X-Git-Tag: v12.0.0rc1~12
X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;ds=sidebyside;h=refs%2Fchanges%2F46%2F12146%2F1;hp=5832638ae4b3f768c6b5442a3ecbdd0ac3d5c822;p=osm%2FN2VC.git

Fix security bug: Deserialization of Untrusted Data

Change-Id: I6228e249bdb0acf6f18924910fbb7105fc519eb4
Signed-off-by: David Garcia <david.garcia@canonical.com>
---

diff --git a/n2vc/k8s_helm_base_conn.py b/n2vc/k8s_helm_base_conn.py
index 952630a..d446b9b 100644
--- a/n2vc/k8s_helm_base_conn.py
+++ b/n2vc/k8s_helm_base_conn.py
@@ -1888,7 +1888,7 @@ class K8sHelmBaseConnector(K8sConnector):
             for key in params:
                 value = params.get(key)
                 if "!!yaml" in str(value):
-                    value = yaml.load(value[7:])
+                    value = yaml.safe_load(value[7:])
                 params2[key] = value
 
             values_file = get_random_number() + ".yaml"