Bug 1469999 - Use yaml.safe_load() for loading linter config file; r=ahal

yaml.load() is unsafe and can lead to arbitrary code execution via syntax like `!!python/object/apply:os.system`. yaml.safe_load() is more reasonable. Differential Revision: https://phabricator.services.mozilla.com/D1738 --HG-- extra : rebase_source : 597c07b3c1538dc27ad6f46e01cdb7f48755d0bc extra : histedit_source : 131d570f8ac1ee047487cba54822dbf20abf6681
2025-02-22 18:32:00 +00:00 · 2018-06-20 14:29:27 -07:00 · 2018-06-20 14:29:27 -07:00 · 6e4366049c
commit 6e4366049c
parent 871e349399
1 changed files with 1 additions and 1 deletions
--- a/python/mozlint/mozlint/parser.py
+++ b/python/mozlint/mozlint/parser.py
@ -90,7 +90,7 @@ class Parser(object):
            raise LinterParseError(path, "Invalid filename, linters must end with '.yml'!")

        with open(path) as fh:
-            config = yaml.load(fh)
+            config = yaml.safe_load(fh)

        if not config:
            raise LinterParseError(path, "No lint definitions found!")