Fix code execution vulnerability by switching to yaml.safe_load

Ref: yaml/pyyaml#5
ypid · Feb 21, 2017 · 987f7e2 · 987f7e2
1 parent 4d62118
commit 987f7e2
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/ansiblecmdb/ansible.py b/src/ansiblecmdb/ansible.py
@@ -122,7 +122,7 @@ def _parse_hostvar_dir(self, inventory_path):
 
             try:
                 f = codecs.open(f_path, 'r', encoding='utf8')
-                invars = yaml.load(f)
+                invars = yaml.safe_load(f)
                 f.close()
                 self.update_host(fname, {'hostvars': invars})
             except Exception as err:

diff --git a/src/ansiblecmdb/parser.py b/src/ansiblecmdb/parser.py
@@ -181,7 +181,7 @@ def _parse_line_vars(self, line):
         k, v = line.strip().split('=', 1)
         if v.startswith('['):
             try:
-                list_res = yaml.load(v)
+                list_res = yaml.safe_load(v)
                 if isinstance(list_res[0], dict):
                     key_values = list_res[0]
                     return key_values