From: Luis Date: Fri, 1 Jul 2022 14:35:49 +0000 (+0000) Subject: Fixing LCM vulnerabilities X-Git-Tag: release-v13.0-start~21 X-Git-Url: https://osm.etsi.org/gitweb/?a=commitdiff_plain;h=refs%2Fchanges%2F94%2F12294%2F4;p=osm%2FLCM.git Fixing LCM vulnerabilities Change-Id: I0b0c5975ce6f3088df19e8facb28f946658378a5 Signed-off-by: Luis --- diff --git a/osm_lcm/ROclient.py b/osm_lcm/ROclient.py index 32dd1bf..e3cb7f7 100644 --- a/osm_lcm/ROclient.py +++ b/osm_lcm/ROclient.py @@ -190,7 +190,7 @@ class ROClient: ) if descriptor_format != "json": try: - return yaml.load(descriptor) + return yaml.safe_load(descriptor) except yaml.YAMLError as exc: error_pos = "" if hasattr(exc, "problem_mark"): @@ -214,7 +214,7 @@ class ROClient: def _parse_error_yaml(descriptor): json_error = None try: - json_error = yaml.load(descriptor, Loader=yaml.Loader) + json_error = yaml.safe_load(descriptor) return json_error["error"]["description"] except Exception: return str(json_error or descriptor) @@ -222,7 +222,7 @@ class ROClient: @staticmethod def _parse_yaml(descriptor, response=False): try: - return yaml.load(descriptor, Loader=yaml.Loader) + return yaml.safe_load(descriptor) except yaml.YAMLError as exc: error_pos = "" if hasattr(exc, "problem_mark"): diff --git a/osm_lcm/lcm.py b/osm_lcm/lcm.py index 5f630b2..8932d89 100644 --- a/osm_lcm/lcm.py +++ b/osm_lcm/lcm.py @@ -759,7 +759,7 @@ class Lcm: try: # read file as yaml format with open(config_file) as f: - conf = yaml.load(f, Loader=yaml.Loader) + conf = yaml.safe_load(f) # Ensure all sections are not empty for k in ( "global", diff --git a/osm_lcm/ns.py b/osm_lcm/ns.py index 2b0f56e..4640348 100644 --- a/osm_lcm/ns.py +++ b/osm_lcm/ns.py @@ -414,7 +414,7 @@ class NsLcm(LcmBase): @staticmethod def _parse_cloud_init(cloud_init_text, additional_params, vnfd_id, vdu_id): try: - env = Environment(undefined=StrictUndefined) + env = Environment(undefined=StrictUndefined, autoescape=True) template = env.from_string(cloud_init_text) return template.render(additional_params or {}) except UndefinedError as e: