Move from yaml.load to yaml.safe_load

yaml.load is equally powerful as python pickles, and we don't need that level of power for the ostree yaml files. Better safe than sorry. Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2018-11-13 21:11:02 +01:00 · 2018-11-13 21:11:02 +01:00 · 8e88373a82
parent dc692bc604
commit 8e88373a82
2 changed files with 2 additions and 2 deletions
--- a/pungi/ostree/utils.py
+++ b/pungi/ostree/utils.py
@ -81,7 +81,7 @@ def tweak_treeconf(treeconf, source_repos=None, keep_original_sources=False, upd
        # rpm-ostree now supports YAML, but we'll end up converting it to JSON.
        # https://github.com/projectatomic/rpm-ostree/pull/1377
        if treeconf.endswith('.yaml'):
-            treeconf_content = yaml.load(f)
+            treeconf_content = yaml.safe_load(f)
            treeconf = treeconf.replace('.yaml', '.json')
        else:
            treeconf_content = json.load(f)
--- a/tests/test_ostree_script.py
+++ b/tests/test_ostree_script.py
@ -165,7 +165,7 @@ class OstreeTreeScriptTest(helpers.PungiTestCase):

        with open(treefile, 'r') as f:
            # Read initial content from YAML file
-            treefile_content = yaml.load(f)
+            treefile_content = yaml.safe_load(f)
        original_repos = treefile_content['repos']
        original_ref = treefile_content['ref']
        replacing_ref = original_ref + '-changed'