Prevent remote code execution

yaml.load() allows the provider of the yaml data (in this case: the monitored host) to run arbitrary commands.
Scout24 · Jan 16, 2017 · 2191fe6 · 2191fe6
1 parent c7aa6c7
commit 2191fe6
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/main/python/monitoring_config_generator/yaml_tools/readers.py b/src/main/python/monitoring_config_generator/yaml_tools/readers.py
@@ -57,7 +57,7 @@ def get_from_header(field):
         return response.headers[field] if field in response.headers else None
 
     if response.status_code == 200:
-        yaml_config = yaml.load(response.content)
+        yaml_config = yaml.safe_load(response.content)
         etag = get_from_header('etag')
         mtime = get_from_header('last-modified')
         mtime = datetime.datetime.strptime(mtime, '%a, %d %b %Y %H:%M:%S %Z').strftime('%s') if mtime else int(time())