Fixing LCM vulnerabilities

author Luis <lvega@whitestack.com>

Fri, 1 Jul 2022 14:35:49 +0000 (14:35 +0000)

committer cubag <gcuba@whitestack.com>

Wed, 10 Aug 2022 19:01:03 +0000 (21:01 +0200)
author Luis <lvega@whitestack.com>
Fri, 1 Jul 2022 14:35:49 +0000 (14:35 +0000)
committer cubag <gcuba@whitestack.com>
Wed, 10 Aug 2022 19:01:03 +0000 (21:01 +0200)
diff --git a/osm_lcm/ROclient.py b/osm_lcm/ROclient.py

index 32dd1bf..e3cb7f7 100644 (file)
--- a/osm_lcm/ROclient.py
+++ b/osm_lcm/ROclient.py
@@ -190,7 +190,7 @@ class ROClient:
              )
          if descriptor_format != "json":
              try:
-                return yaml.load(descriptor)
+                return yaml.safe_load(descriptor)
              except yaml.YAMLError as exc:
                  error_pos = ""
                  if hasattr(exc, "problem_mark"):
@@ -214,7 +214,7 @@ class ROClient:
      def _parse_error_yaml(descriptor):
          json_error = None
          try:
-            json_error = yaml.load(descriptor, Loader=yaml.Loader)
+            json_error = yaml.safe_load(descriptor)
              return json_error["error"]["description"]
          except Exception:
              return str(json_error or descriptor)
@@ -222,7 +222,7 @@ class ROClient:
      @staticmethod
      def _parse_yaml(descriptor, response=False):
          try:
-            return yaml.load(descriptor, Loader=yaml.Loader)
+            return yaml.safe_load(descriptor)
          except yaml.YAMLError as exc:
              error_pos = ""
              if hasattr(exc, "problem_mark"):
diff --git a/osm_lcm/lcm.py b/osm_lcm/lcm.py

index 5f630b2..8932d89 100644 (file)
--- a/osm_lcm/lcm.py
+++ b/osm_lcm/lcm.py
@@ -759,7 +759,7 @@ class Lcm:
          try:
              # read file as yaml format
              with open(config_file) as f:
-                conf = yaml.load(f, Loader=yaml.Loader)
+                conf = yaml.safe_load(f)
              # Ensure all sections are not empty
              for k in (
                  "global",
diff --git a/osm_lcm/ns.py b/osm_lcm/ns.py

index 6aed304..ee9bc5c 100644 (file)
--- a/osm_lcm/ns.py
+++ b/osm_lcm/ns.py
@@ -422,7 +422,7 @@ class NsLcm(LcmBase):
      @staticmethod
      def _parse_cloud_init(cloud_init_text, additional_params, vnfd_id, vdu_id):
          try:
-            env = Environment(undefined=StrictUndefined)
+            env = Environment(undefined=StrictUndefined, autoescape=True)
              template = env.from_string(cloud_init_text)
              return template.render(additional_params or {})
          except UndefinedError as e:
author	Luis <lvega@whitestack.com>
	Fri, 1 Jul 2022 14:35:49 +0000 (14:35 +0000)
committer	cubag <gcuba@whitestack.com>
	Wed, 10 Aug 2022 19:01:03 +0000 (21:01 +0200)
osm_lcm/ROclient.py		patch \| blob \| history
osm_lcm/lcm.py		patch \| blob \| history
osm_lcm/ns.py		patch \| blob \| history