Use safe YAML loading everywhere.

Using yaml.load with a generic loader is discouraged, as it allows code injection attacks. All calls have been rewritten to use safe_load or CSafeLoader.
lsst · Jun 7, 2019 · 8eba3b1 · 8eba3b1
1 parent 239d49c
commit 8eba3b1
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/python/lsst/verify/yamlutils.py b/python/lsst/verify/yamlutils.py
@@ -80,7 +80,8 @@ def load_all_ordered_yaml(stream, **kwargs):
     return yaml.load_all(stream, OrderedLoader)
 
 
-def _build_ordered_loader(Loader=yaml.Loader, object_pairs_hook=OrderedDict):
+def _build_ordered_loader(Loader=yaml.CSafeLoader,
+                          object_pairs_hook=OrderedDict):
     # Solution from http://stackoverflow.com/a/21912744
 
     class OrderedLoader(Loader):

diff --git a/tests/test_metrics.py b/tests/test_metrics.py
@@ -17,7 +17,7 @@ def setUp(self):
         yaml_path = os.path.join(os.path.dirname(__file__),
                                  'data', 'metrics', 'testing.yaml')
         with open(yaml_path) as f:
-            self.metric_doc = yaml.load(f)
+            self.metric_doc = yaml.safe_load(f)
 
     def test_load_all_yaml_metrics(self):
         """Verify that all metrics from testing.yaml can be loaded."""