diff options
author | RĂ©mi Duraffort <remi.duraffort@linaro.org> | 2018-06-15 15:57:51 +0200 |
---|---|---|
committer | Neil Williams <neil.williams@linaro.org> | 2018-06-15 17:03:05 +0100 |
commit | 95f28429c35ac54ccbbe639bf56cf06ada8fbb5b (patch) | |
tree | 6f3b18c76e914001b2c831215fa61941e854098f /lava_scheduler_app/schema.py | |
parent | 0a8db2d0ec853d3c4675513e69c99c82d4f24ca3 (diff) |
Use yaml.safe_load when parsing user data2018.5.post1
Calling yaml.load() on untrusted data is unsafe and can lead to remote code
execution.
This commit fixes remote code execution in:
* the submit page
* the xmlrpc api
* the scheduler
* lava-master and lava-slave
This bug was found by running bandit (https://github.com/PyCQA/bandit).
Change-Id: I80882f9baeb0e7e1c2127f602cc4b206213cb59f
Diffstat (limited to 'lava_scheduler_app/schema.py')
-rw-r--r-- | lava_scheduler_app/schema.py | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lava_scheduler_app/schema.py b/lava_scheduler_app/schema.py index 92f35512a..8351e6421 100644 --- a/lava_scheduler_app/schema.py +++ b/lava_scheduler_app/schema.py @@ -437,7 +437,7 @@ def _validate_vcs_parameters(data_objects): def _download_raw_yaml(url): try: - return yaml.load(requests.get(url, timeout=INCLUDE_URL_TIMEOUT).content) + return yaml.safe_load(requests.get(url, timeout=INCLUDE_URL_TIMEOUT).content) except requests.RequestException as exc: raise SubmissionException( "Section 'include' must contain valid URL: %s" % exc) @@ -475,7 +475,7 @@ def handle_include_option(data_object): def validate_submission(data_object): """ Validates a python object as a TestJob submission - :param data: Python object, e.g. from yaml.load() + :param data: Python object, e.g. from yaml.safe_load() :return: True if valid, else raises SubmissionException """ try: @@ -514,7 +514,7 @@ def _validate_primary_connection_power_commands(data_object): def validate_device(data_object): """ Validates a python object as a pipeline device configuration - e.g. yaml.load(`lava-server manage device-dictionary --hostname host1 --export`) + e.g. yaml.safe_load(`lava-server manage device-dictionary --hostname host1 --export`) To validate a device_type template, a device dictionary needs to be created. :param data: Python object representing a pipeline Device. :return: True if valid, else raises SubmissionException |