From: Luis <lvega@whitestack.com>
Date: Fri, 1 Jul 2022 14:35:49 +0000 (+0000)
Subject: Fixing LCM vulnerabilities
X-Git-Tag: release-v13.0-start~21
X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=refs%2Fchanges%2F94%2F12294%2F4;p=osm%2FLCM.git

Fixing LCM vulnerabilities

Change-Id: I0b0c5975ce6f3088df19e8facb28f946658378a5
Signed-off-by: Luis <lvega@whitestack.com>
---

diff --git a/osm_lcm/ROclient.py b/osm_lcm/ROclient.py
index 32dd1bf..e3cb7f7 100644
--- a/osm_lcm/ROclient.py
+++ b/osm_lcm/ROclient.py
@@ -190,7 +190,7 @@ class ROClient:
             )
         if descriptor_format != "json":
             try:
-                return yaml.load(descriptor)
+                return yaml.safe_load(descriptor)
             except yaml.YAMLError as exc:
                 error_pos = ""
                 if hasattr(exc, "problem_mark"):
@@ -214,7 +214,7 @@ class ROClient:
     def _parse_error_yaml(descriptor):
         json_error = None
         try:
-            json_error = yaml.load(descriptor, Loader=yaml.Loader)
+            json_error = yaml.safe_load(descriptor)
             return json_error["error"]["description"]
         except Exception:
             return str(json_error or descriptor)
@@ -222,7 +222,7 @@ class ROClient:
     @staticmethod
     def _parse_yaml(descriptor, response=False):
         try:
-            return yaml.load(descriptor, Loader=yaml.Loader)
+            return yaml.safe_load(descriptor)
         except yaml.YAMLError as exc:
             error_pos = ""
             if hasattr(exc, "problem_mark"):
diff --git a/osm_lcm/lcm.py b/osm_lcm/lcm.py
index 5f630b2..8932d89 100644
--- a/osm_lcm/lcm.py
+++ b/osm_lcm/lcm.py
@@ -759,7 +759,7 @@ class Lcm:
         try:
             # read file as yaml format
             with open(config_file) as f:
-                conf = yaml.load(f, Loader=yaml.Loader)
+                conf = yaml.safe_load(f)
             # Ensure all sections are not empty
             for k in (
                 "global",
diff --git a/osm_lcm/ns.py b/osm_lcm/ns.py
index 2b0f56e..4640348 100644
--- a/osm_lcm/ns.py
+++ b/osm_lcm/ns.py
@@ -414,7 +414,7 @@ class NsLcm(LcmBase):
     @staticmethod
     def _parse_cloud_init(cloud_init_text, additional_params, vnfd_id, vdu_id):
         try:
-            env = Environment(undefined=StrictUndefined)
+            env = Environment(undefined=StrictUndefined, autoescape=True)
             template = env.from_string(cloud_init_text)
             return template.render(additional_params or {})
         except UndefinedError as e: