Use yaml.safe_load

We should be using yaml.safe_load and not yaml.load in all of our code.

unit_tests/test_zaza_charm_lifecycle_utils.py

@@ -33,7 +33,7 @@ class TestCharmLifecycleUtils(ut_utils.BaseTestCase):
         self.patch_object(lc_utils, 'yaml')
         _yaml = "testconfig: someconfig"
         _yaml_dict = {'test_config': 'someconfig'}
-        self.yaml.load.return_value = _yaml_dict
+        self.yaml.safe_load.return_value = _yaml_dict
         _filename = "filename"
         _fileobj = mock.MagicMock()
         _fileobj.__enter__.return_value = _yaml
@@ -42,7 +42,7 @@ class TestCharmLifecycleUtils(ut_utils.BaseTestCase):
         self.assertEqual(lc_utils.get_charm_config(yaml_file=_filename),
                          _yaml_dict)
         self._open.assert_called_once_with(_filename, "r")
-        self.yaml.load.assert_called_once_with(_yaml)
+        self.yaml.safe_load.assert_called_once_with(_yaml)
 
     def test_get_class(self):
         self.assertEqual(

unit_tests/utilities/test_zaza_utilities_juju.py

@@ -193,7 +193,7 @@ class TestJujuUtils(ut_utils.BaseTestCase):
         self.model.run_on_unit.assert_called_with(
             'aunit/0',
             'relation-get --format=yaml -r "42" - "otherunit/0"')
-        self.yaml.load.assert_called_with(str(data))
+        self.yaml.safe_load.assert_called_with(str(data))
 
     def test_get_relation_from_unit_fails(self):
         self.patch_object(juju_utils, '_get_unit_names')
@@ -208,7 +208,7 @@ class TestJujuUtils(ut_utils.BaseTestCase):
         self.model.run_on_unit.assert_called_with(
             'aunit/0',
             'relation-get --format=yaml -r "42" - "otherunit/0"')
-        self.assertFalse(self.yaml.load.called)
+        self.assertFalse(self.yaml.safe_load.called)
 
     def test_leader_get(self):
         self.patch_object(juju_utils, 'yaml')
@@ -219,7 +219,7 @@ class TestJujuUtils(ut_utils.BaseTestCase):
         juju_utils.leader_get('application')
         self.model.run_on_leader.assert_called_with(
             'application', 'leader-get --format=yaml ')
-        self.yaml.load.assert_called_with(str(data))
+        self.yaml.safe_load.assert_called_with(str(data))
 
     def test_leader_get_key(self):
         self.patch_object(juju_utils, 'yaml')
@@ -230,7 +230,7 @@ class TestJujuUtils(ut_utils.BaseTestCase):
         juju_utils.leader_get('application', 'foo')
         self.model.run_on_leader.assert_called_with(
             'application', 'leader-get --format=yaml foo')
-        self.yaml.load.assert_called_with(data['foo'])
+        self.yaml.safe_load.assert_called_with(data['foo'])
 
     def test_leader_get_fails(self):
         self.patch_object(juju_utils, 'yaml')
@@ -241,7 +241,7 @@ class TestJujuUtils(ut_utils.BaseTestCase):
             juju_utils.leader_get('application')
         self.model.run_on_leader.assert_called_with(
             'application', 'leader-get --format=yaml ')
-        self.assertFalse(self.yaml.load.called)
+        self.assertFalse(self.yaml.safe_load.called)
 
     def test_get_machine_series(self):
         self.patch(

zaza/charm_lifecycle/utils.py

@@ -32,7 +32,7 @@ def get_charm_config(yaml_file=None):
     if not yaml_file:
         yaml_file = DEFAULT_TEST_CONFIG
     with open(yaml_file, 'r') as stream:
-        return yaml.load(stream)
+        return yaml.safe_load(stream)
 
 
 def get_class(class_str):

zaza/charm_tests/vault/utils.py

@@ -158,7 +158,7 @@ def get_credentails():
             '~/{}'.format(AUTH_FILE),
             tmp_file)
         with open(tmp_file, 'r') as stream:
-            creds = yaml.load(stream)
+            creds = yaml.safe_load(stream)
     return creds
 
 
@@ -190,7 +190,7 @@ def get_credentails_from_file(auth_file):
     :rtype: dict
     """
     with open(auth_file, 'r') as stream:
-        vault_creds = yaml.load(stream)
+        vault_creds = yaml.safe_load(stream)
     return vault_creds
 
 

zaza/model.py

@@ -855,7 +855,7 @@ def get_actions(application_name, model_name=None):
     # https://github.com/juju/python-libjuju/issues/226
     cmd = ['juju', 'actions', '-m', model_name, application_name,
            '--format', 'yaml']
-    return yaml.load(subprocess.check_output(cmd))
+    return yaml.safe_load(subprocess.check_output(cmd))
 
 
 async def async_get_current_model():

zaza/utilities/generic.py

@@ -167,7 +167,7 @@ def get_yaml_config(config_file):
     # through mojo stage directories. This version assumes the yaml file is in
     # the pwd.
     logging.info('Using config %s' % (config_file))
-    return yaml.load(open(config_file, 'r').read())
+    return yaml.safe_load(open(config_file, 'r').read())
 
 
 def series_upgrade_non_leaders_first(application, from_series="trusty",

zaza/utilities/juju.py

@@ -238,7 +238,7 @@ def get_relation_from_unit(entity, remote_entity, remote_interface_name):
     cmd = 'relation-get --format=yaml -r "{}" - "{}"' .format(rid, remote_unit)
     result = model.run_on_unit(unit, cmd)
     if result and int(result.get('Code')) == 0:
-        return yaml.load(result.get('Stdout'))
+        return yaml.safe_load(result.get('Stdout'))
     else:
         raise model.CommandRunFailed(cmd, result)
 
@@ -255,6 +255,6 @@ def leader_get(application, key=''):
     cmd = 'leader-get --format=yaml {}'.format(key)
     result = model.run_on_leader(application, cmd)
     if result and int(result.get('Code')) == 0:
-        return yaml.load(result.get('Stdout'))
+        return yaml.safe_load(result.get('Stdout'))
     else:
         raise model.CommandRunFailed(cmd, result)