Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7834

Change all calls to YAML.load into YAML.safe_load

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide

      That rubocop can run clean on the puppet source with Security/YAMLLoad and Security/JSONLoad enabled.

      Show
      That rubocop can run clean on the puppet source with Security/YAMLLoad and Security/JSONLoad enabled.
    • Team:
      Coremunity
    • Story Points:
      1
    • Sprint:
      Platform Core KANBAN
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Puppet now uses YAML.safe_load consistently to ensure only known classes are loaded.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Now, when all serialization of YAML data is ensured to be Data, we must also ensure that no unsafe data can be loaded using YAML. Psych provides the method YAML.safe_load to accomplish this.

      We do have some places were we still load objects that are not Data for backward compatibility causes. We allow Symbol keys in hiera in some places and we provide a YAML-specificit tag for Puppet::Node::Facts to make it directly deserializable into instances of that class. Such exceptions can (and should) be declared specifically as arguments to YAML.safe_load.

      Also need to review JSON.load

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  josh Josh Cooper
                  Reporter:
                  thomas.hallgren Thomas Hallgren
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: