Use yaml.safe_load when parsing user data2018.5.post1

Calling yaml.load() on untrusted data is unsafe and can lead to remote code
execution.

This commit fixes remote code execution in:
* the submit page
* the xmlrpc api
* the scheduler
* lava-master and lava-slave

This bug was found by running bandit (https://github.com/PyCQA/bandit).

Change-Id: I80882f9baeb0e7e1c2127f602cc4b206213cb59f

1 files changed, 3 insertions, 3 deletions

diff --git a/lava_scheduler_app/schema.py b/lava_scheduler_app/schema.py
index 92f35512a..8351e6421 100644
--- a/lava_scheduler_app/schema.py
+++ b/lava_scheduler_app/schema.py
@@ -437,7 +437,7 @@ def _validate_vcs_parameters(data_objects):
 
 def _download_raw_yaml(url):
     try:
-        return yaml.load(requests.get(url, timeout=INCLUDE_URL_TIMEOUT).content)
+        return yaml.safe_load(requests.get(url, timeout=INCLUDE_URL_TIMEOUT).content)
     except requests.RequestException as exc:
         raise SubmissionException(
             "Section 'include' must contain valid URL: %s" % exc)
@@ -475,7 +475,7 @@ def handle_include_option(data_object):
 def validate_submission(data_object):
     """
     Validates a python object as a TestJob submission
-    :param data: Python object, e.g. from yaml.load()
+    :param data: Python object, e.g. from yaml.safe_load()
     :return: True if valid, else raises SubmissionException
     """
     try:
@@ -514,7 +514,7 @@ def _validate_primary_connection_power_commands(data_object):
 def validate_device(data_object):
     """
     Validates a python object as a pipeline device configuration
-    e.g. yaml.load(`lava-server manage device-dictionary --hostname host1 --export`)
+    e.g. yaml.safe_load(`lava-server manage device-dictionary --hostname host1 --export`)
     To validate a device_type template, a device dictionary needs to be created.
     :param data: Python object representing a pipeline Device.
     :return: True if valid, else raises SubmissionException