security scan reported insecure yaml load method usage in latest cloud-init code
Bug #1849640 reported by
Kumar Biplab
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
security scan reported insecure yaml load method usage in latest cloud-init code
PyYAML's yaml.load() method is unsafe and can execute code in yaml files.we can use safe_load() for safer option.
Here is the lines where it is used in current code.
1.cloudinit\
yaml.load(net_data)
2. \cloudinit\
yaml.load(
3. \cloudinit\util.py at line 950
converted = safeyaml.load(blob)
Related branches
~smoser/cloud-init:fix/1849640-adjust-yaml-usage
Merged
into
cloud-init:master
- Ryan Harper: Approve
- Server Team CI bot: Approve (continuous-integration)
-
Diff: 395 lines (+53/-46)13 files modifiedcloudinit/cmd/devel/net_convert.py (+5/-8)
cloudinit/cmd/tests/test_main.py (+4/-3)
cloudinit/config/cc_debug.py (+2/-1)
cloudinit/config/cc_salt_minion.py (+3/-3)
cloudinit/config/cc_snappy.py (+2/-1)
cloudinit/handlers/cloud_config.py (+2/-1)
cloudinit/net/netplan.py (+8/-7)
cloudinit/net/network_state.py (+3/-2)
cloudinit/safeyaml.py (+15/-0)
cloudinit/util.py (+1/-15)
tests/unittests/test_data.py (+2/-1)
tests/unittests/test_runs/test_merge_run.py (+2/-1)
tests/unittests/test_runs/test_simple_run.py (+4/-3)
To post a comment you must log in.
I think this can be made public.
The fix is in the tree for the net_convert use of load.
That was the only code that was using 'load' without Loader= _CustomSafeLoad er.
The result of which would be limited to executing code as the user who executed
'cloud-init devel net-convert'.