[PUP-7834] Change all calls to YAML.load into YAML.safe_load - Puppet Jira Server

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 6.0.0
Component/s: None
Labels:
None

Acceptance Criteria:

Hide

That rubocop can run clean on the puppet source with Security/YAMLLoad and Security/JSONLoad enabled.

Show
That rubocop can run clean on the puppet source with Security/YAMLLoad and Security/JSONLoad enabled.
Team:
Coremunity
Story Points:
1
Sprint:
Platform Core KANBAN

Release Notes:
Bug Fix
Release Notes Summary:
Puppet now uses YAML.safe_load consistently to ensure only known classes are loaded.

QA Risk Assessment:
Needs Assessment

Description

Now, when all serialization of YAML data is ensured to be Data, we must also ensure that no unsafe data can be loaded using YAML. Psych provides the method YAML.safe_load to accomplish this.

We do have some places were we still load objects that are not Data for backward compatibility causes. We allow Symbol keys in hiera in some places and we provide a YAML-specificit tag for Puppet::Node::Facts to make it directly deserializable into instances of that class. Such exceptions can (and should) be declared specifically as arguments to YAML.safe_load.

Also need to review JSON.load

Attachments

Issue Links

is duplicated by

PUP-7519 Enable rubocop security cop scan on ruby projects

Closed

relates to

PUP-9104 YAML safe_load prevents aliases

Closed

Activity

People

Assignee:: Josh Cooper

Reporter:: Thomas Hallgren

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2017/08/11 3:40 AM

Updated:: 2018/09/19 12:34 PM

Resolved:: 2018/09/05 4:11 PM