use yaml.safe_{load,dump} functions

The yaml.load() function can run arbitrary code, the safe_load() variant only
understands a safe subset of YAML which is enough for dak.

diff --git a/dak/stats.py b/dak/stats.py
index 40ecc95d19754c911a98ed8eb8e40e2b3b021308..6f69e1a7f4239429fac841b78cdb47c92605a278 100755 (executable)
--- a/dak/stats.py
+++ b/dak/stats.py
@@ -41,7 +41,7 @@ from os import listdir, system, unlink
 from os.path import isfile, join, splitext
 from re import findall, DOTALL, MULTILINE
 from sys import stderr
 from os.path import isfile, join, splitext
 from re import findall, DOTALL, MULTILINE
 from sys import stderr

-from yaml import load, safe_dump
+from yaml import safe_load, safe_dump

 
 from daklib import utils
 from daklib.dbconn import DBConn, get_suite_architectures, Suite, Architecture
 
 from daklib import utils
 from daklib.dbconn import DBConn, get_suite_architectures, Suite, Architecture


@@ -340,7 +340,7 @@ def new_stats(logdir, yaml):
     global stats
     try:
         with open(yaml, 'r') as fd:
     global stats
     try:
         with open(yaml, 'r') as fd:

-            stats = load(fd)
+            stats = safe_load(fd)

     except IOError:
         pass
     if not stats:
     except IOError:
         pass
     if not stats:

diff --git a/dak/transitions.py b/dak/transitions.py
index 7409f6f95a0b18154639cf25b62d952d1879cba7..68c65b6a070bf9dbe84d3f8a664c95ccd89572d0 100755 (executable)
--- a/dak/transitions.py
+++ b/dak/transitions.py
@@ -134,7 +134,7 @@ def load_transitions(trans_file):
     sourcecontent = sourcefile.read()
     failure = False
     try:
     sourcecontent = sourcefile.read()
     failure = False
     try:

-        trans = yaml.load(sourcecontent)
+        trans = yaml.safe_load(sourcecontent)

     except yaml.YAMLError as exc:
         # Someone fucked it up
         print "ERROR: %s" % (exc)
     except yaml.YAMLError as exc:
         # Someone fucked it up
         print "ERROR: %s" % (exc)


@@ -262,7 +262,7 @@ def write_transitions(from_trans):
     temp_lock  = lock_file(trans_temp)
 
     destfile = file(trans_temp, 'w')
     temp_lock  = lock_file(trans_temp)
 
     destfile = file(trans_temp, 'w')

-    yaml.dump(from_trans, destfile, default_flow_style=False)
+    yaml.safe_dump(from_trans, destfile, default_flow_style=False)

     destfile.close()
 
     os.rename(trans_temp, trans_file)
     destfile.close()
 
     os.rename(trans_temp, trans_file)


@@ -321,7 +321,7 @@ def temp_transitions_file(transitions):
     (fd, path) = tempfile.mkstemp("", "transitions", Cnf["Dir::TempPath"])
     os.chmod(path, 0o644)
     f = open(path, "w")
     (fd, path) = tempfile.mkstemp("", "transitions", Cnf["Dir::TempPath"])
     os.chmod(path, 0o644)
     f = open(path, "w")

-    yaml.dump(transitions, f, default_flow_style=False)
+    yaml.safe_dump(transitions, f, default_flow_style=False)

     return path
 
 ################################################################################
     return path
 
 ################################################################################

diff --git a/daklib/checks.py b/daklib/checks.py
index 14fb02d35628bc0707562cdc4651b49ada5bd72f..f0d19ad54403e3d759079fd279fb661092808456 100644 (file)
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -602,7 +602,7 @@ transition is done.""".format(source, currentlymsg, expected,t["rm"])))
 
         contents = file(path, 'r').read()
         try:
 
         contents = file(path, 'r').read()
         try:

-            transitions = yaml.load(contents)
+            transitions = yaml.safe_load(contents)

             return transitions
         except yaml.YAMLError as msg:
             utils.warn('Not checking transitions, the transitions file is broken: {0}'.format(msg))
             return transitions
         except yaml.YAMLError as msg:
             utils.warn('Not checking transitions, the transitions file is broken: {0}'.format(msg))


@@ -643,7 +643,7 @@ class LintianCheck(Check):
         with open(tagfile, 'r') as sourcefile:
             sourcecontent = sourcefile.read()
         try:
         with open(tagfile, 'r') as sourcefile:
             sourcecontent = sourcefile.read()
         try:

-            lintiantags = yaml.load(sourcecontent)['lintian']
+            lintiantags = yaml.safe_load(sourcecontent)['lintian']

         except yaml.YAMLError as msg:
             raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))
 
         except yaml.YAMLError as msg:
             raise Exception('Could not read lintian tags file {0}, YAML error: {1}'.format(tagfile, msg))
 

diff --git a/daklib/queue.py b/daklib/queue.py
index 8c3062670201f390a9d225576a6435bd325391b3..5a5c8f90f07db110f4a6150f1c7eff66fb9143ff 100755 (executable)
--- a/daklib/queue.py
+++ b/daklib/queue.py
@@ -41,8 +41,6 @@ from types import *
 from sqlalchemy.sql.expression import desc
 from sqlalchemy.orm.exc import NoResultFound
 
 from sqlalchemy.sql.expression import desc
 from sqlalchemy.orm.exc import NoResultFound
 

-import yaml
-

 from dak_exceptions import *
 from changes import *
 from regexes import *
 from dak_exceptions import *
 from changes import *
 from regexes import *