From ccdc2163b2f1a328a91aed91c8df223166dba54c Mon Sep 17 00:00:00 2001 From: Luis Date: Fri, 1 Jul 2022 14:35:49 +0000 Subject: [PATCH] Fixing LCM vulnerabilities Change-Id: I0b0c5975ce6f3088df19e8facb28f946658378a5 Signed-off-by: Luis --- osm_lcm/ROclient.py | 6 +++--- osm_lcm/lcm.py | 2 +- osm_lcm/ns.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/osm_lcm/ROclient.py b/osm_lcm/ROclient.py index 32dd1bf..e3cb7f7 100644 --- a/osm_lcm/ROclient.py +++ b/osm_lcm/ROclient.py @@ -190,7 +190,7 @@ class ROClient: ) if descriptor_format != "json": try: - return yaml.load(descriptor) + return yaml.safe_load(descriptor) except yaml.YAMLError as exc: error_pos = "" if hasattr(exc, "problem_mark"): @@ -214,7 +214,7 @@ class ROClient: def _parse_error_yaml(descriptor): json_error = None try: - json_error = yaml.load(descriptor, Loader=yaml.Loader) + json_error = yaml.safe_load(descriptor) return json_error["error"]["description"] except Exception: return str(json_error or descriptor) @@ -222,7 +222,7 @@ class ROClient: @staticmethod def _parse_yaml(descriptor, response=False): try: - return yaml.load(descriptor, Loader=yaml.Loader) + return yaml.safe_load(descriptor) except yaml.YAMLError as exc: error_pos = "" if hasattr(exc, "problem_mark"): diff --git a/osm_lcm/lcm.py b/osm_lcm/lcm.py index 5f630b2..8932d89 100644 --- a/osm_lcm/lcm.py +++ b/osm_lcm/lcm.py @@ -759,7 +759,7 @@ class Lcm: try: # read file as yaml format with open(config_file) as f: - conf = yaml.load(f, Loader=yaml.Loader) + conf = yaml.safe_load(f) # Ensure all sections are not empty for k in ( "global", diff --git a/osm_lcm/ns.py b/osm_lcm/ns.py index 2b0f56e..4640348 100644 --- a/osm_lcm/ns.py +++ b/osm_lcm/ns.py @@ -414,7 +414,7 @@ class NsLcm(LcmBase): @staticmethod def _parse_cloud_init(cloud_init_text, additional_params, vnfd_id, vdu_id): try: - env = Environment(undefined=StrictUndefined) + env = Environment(undefined=StrictUndefined, autoescape=True) template = env.from_string(cloud_init_text) return template.render(additional_params or {}) except UndefinedError as e: -- 2.25.1