From df01f68fb1cf69c4ed35b70fbf622aed15902469 Mon Sep 17 00:00:00 2001
From: Kirill Zaitsev <kzaitsev@mirantis.com>
Date: Fri, 27 May 2016 01:04:31 +0300
Subject: [PATCH] Use yaml.SafeLoader instead of yaml.Loader

Before this patch yaml.Loader was used by the client to create custom
yaql-enabled yaml loader. It is unsfae do to so, because yaml.Loader is
capable of creating custom python objects from specifically constructed
yaml files.
UI parsing functions also fell back to yaml.Loader if
the custom loader was not supplied.
After this patch all yaml load operations are performed with safe
loaders instead.

Change-Id: Id9bb6eabda35522271ec394f8758a974878cbb4b
Closes-Bug: #1586078
---
 muranoclient/common/utils.py                   | 4 ++--
 muranoclient/v1/package_creator/hot_package.py | 2 +-
 muranoclient/v1/packages.py                    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/muranoclient/common/utils.py b/muranoclient/common/utils.py
index 7dd552f..5076758 100644
--- a/muranoclient/common/utils.py
+++ b/muranoclient/common/utils.py
@@ -538,12 +538,12 @@ class YaqlExpression(object):
         return self._parsed_expression.evaluate(data=data, context=context)
 
 
-class YaqlYamlLoader(yaml.Loader):
+class YaqlYamlLoader(yaml.SafeLoader):
     pass
 
 # workaround for PyYAML bug: http://pyyaml.org/ticket/221
 resolvers = {}
-for k, v in yaml.Loader.yaml_implicit_resolvers.items():
+for k, v in yaml.SafeLoader.yaml_implicit_resolvers.items():
     resolvers[k] = v[:]
 YaqlYamlLoader.yaml_implicit_resolvers = resolvers
 
diff --git a/muranoclient/v1/package_creator/hot_package.py b/muranoclient/v1/package_creator/hot_package.py
index 8139558..535e60a 100644
--- a/muranoclient/v1/package_creator/hot_package.py
+++ b/muranoclient/v1/package_creator/hot_package.py
@@ -43,7 +43,7 @@ def generate_manifest(args):
         args.full_name = '{0}.{1}'.format(prefix, normalized_name)
     try:
         with open(args.template) as heat_file:
-            yaml_content = yaml.load(heat_file)
+            yaml_content = yaml.safe_load(heat_file)
             if not args.description:
                 args.description = yaml_content.get(
                     'description',
diff --git a/muranoclient/v1/packages.py b/muranoclient/v1/packages.py
index 9018060..fcb86a5 100644
--- a/muranoclient/v1/packages.py
+++ b/muranoclient/v1/packages.py
@@ -145,7 +145,7 @@ class PackageManager(base.Manager):
 
     def get_ui(self, app_id, loader_cls=None):
         if loader_cls is None:
-            loader_cls = yaml.Loader
+            loader_cls = yaml.SafeLoader
 
         url = '/v1/catalog/packages/{0}/ui'.format(app_id)
         response = self.api.raw_request('GET', url)
-- 
2.8.3