Switched yaml.load to yaml.safe_load to prevent code execution via cr…

…afted yaml files Python's yaml.laod can lead to code execution via crafted yaml files such as: ``` code_exec: !!python/object/apply:subprocess.check_output ['ls'] ```
apache · Feb 8, 2018 · 7e949ee · 7e949ee
1 parent 5ab4915
commit 7e949ee
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/superset/cli.py b/superset/cli.py
@@ -221,7 +221,7 @@ def import_datasources(path, sync, recursive=False):
             with f.open() as data_stream:
                 dict_import_export_util.import_from_dict(
                     db.session,
-                    yaml.load(data_stream),
+                    yaml.safe_load(data_stream),
                     sync=sync_array)
         except Exception as e:
             logging.error('Error when importing datasources from file %s', f)