From f664a31102950dc11ab8c3356dff25d3d313aedf Mon Sep 17 00:00:00 2001
From: Kirill Zaitsev <kzaitsev@mirantis.com>
Date: Fri, 27 May 2016 00:11:28 +0300
Subject: [PATCH] Inherit custom yaml Loader from yaml.SafeLoader

Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that
potentially allows creating arbitrary python objects from specifically
formatted yaml tags. This could have happened whenever UI definitions of
the package were processed.
With this change yaql yaml-Loader no longer allows creating custom python objects.

Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765
Closes-Bug: #1586079
---
 muranodashboard/api/packages.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/muranodashboard/api/packages.py b/muranodashboard/api/packages.py
index c4698c8..b4ec38f 100644
--- a/muranodashboard/api/packages.py
+++ b/muranodashboard/api/packages.py
@@ -63,7 +63,7 @@ def app_by_fqn(request, fqn, catalog=True):
 
 
 def make_loader_cls():
-    class Loader(yaml.Loader):
+    class Loader(yaml.SafeLoader):
         pass
 
     def yaql_constructor(loader, node):
@@ -72,7 +72,7 @@ def make_loader_cls():
 
     # workaround for PyYAML bug: http://pyyaml.org/ticket/221
     resolvers = {}
-    for k, v in yaml.Loader.yaml_implicit_resolvers.items():
+    for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
         resolvers[k] = v[:]
     Loader.yaml_implicit_resolvers = resolvers
 
-- 
2.8.3