Use yaml.safe_load when parsing user data
Calling yaml.load() on untrusted data is unsafe and can lead to remote code execution. This commit fixes remote code execution in: * the submit page * the xmlrpc api * the scheduler * lava-master and lava-slave This bug was found by running bandit (https://github.com/PyCQA/bandit). Change-Id: I80882f9baeb0e7e1c2127f602cc4b206213cb59f
Showing
- doc/v2/device-integration.rst 1 addition, 1 deletiondoc/v2/device-integration.rst
- lava/dispatcher/lava-slave 5 additions, 5 deletionslava/dispatcher/lava-slave
- lava_dispatcher/actions/deploy/environment.py 2 additions, 2 deletionslava_dispatcher/actions/deploy/environment.py
- lava_dispatcher/device.py 2 additions, 2 deletionslava_dispatcher/device.py
- lava_dispatcher/parser.py 2 additions, 2 deletionslava_dispatcher/parser.py
- lava_results_app/dbutils.py 1 addition, 1 deletionlava_results_app/dbutils.py
- lava_results_app/tests/test_metadata.py 5 additions, 5 deletionslava_results_app/tests/test_metadata.py
- lava_scheduler_app/api/__init__.py 4 additions, 4 deletionslava_scheduler_app/api/__init__.py
- lava_scheduler_app/api/devices.py 1 addition, 1 deletionlava_scheduler_app/api/devices.py
- lava_scheduler_app/dbutils.py 1 addition, 1 deletionlava_scheduler_app/dbutils.py
- lava_scheduler_app/models.py 8 additions, 8 deletionslava_scheduler_app/models.py
- lava_scheduler_app/scheduler.py 4 additions, 4 deletionslava_scheduler_app/scheduler.py
- lava_scheduler_app/schema.py 3 additions, 3 deletionslava_scheduler_app/schema.py
- lava_server/api.py 2 additions, 2 deletionslava_server/api.py
- lava_server/management/commands/lava-master.py 2 additions, 2 deletionslava_server/management/commands/lava-master.py
- share/render-template.py 1 addition, 1 deletionshare/render-template.py
Loading
Please register or sign in to comment