Fix vulnerability for PyYAML

src/abseil-cpp/gen_build_yaml.py

@@ -20,7 +20,7 @@ import yaml
 BUILDS_YAML_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)),
                                 'preprocessed_builds.yaml')
 with open(BUILDS_YAML_PATH) as f:
-    builds = yaml.load(f, Loader=yaml.FullLoader)
+    builds = yaml.safe_load(f)
 
 for build in builds:
     build['build'] = 'private'

test/cpp/naming/gen_build_yaml.py

@@ -66,7 +66,7 @@ def _resolver_test_cases(resolver_component_data):
 def main():
     resolver_component_data = ''
     with open('test/cpp/naming/resolver_test_record_groups.yaml') as f:
-        resolver_component_data = yaml.load(f, Loader=yaml.FullLoader)
+        resolver_component_data = yaml.safe_load(f)
 
     json = {
         'resolver_tests_common_zone_name':

test/cpp/naming/utils/dns_server.py

@@ -76,7 +76,7 @@ def start_local_dns_server(args):
         _push_record(name, dns.Record_TXT(*txt_data_list, ttl=r_ttl))
 
     with open(args.records_config_path) as config:
-        test_records_config = yaml.load(config)
+        test_records_config = yaml.safe_load(config)
     common_zone_name = test_records_config['resolver_tests_common_zone_name']
     for group in test_records_config['resolver_component_tests']:
         for name in group['records'].keys():

tools/buildgen/_mako_renderer.py

@@ -113,7 +113,7 @@ def main(argv: List[str]) -> None:
     for arg in args:
         got_input = True
         with open(arg) as f:
-            srcs = list(yaml.load_all(f.read(), Loader=yaml.FullLoader))
+            srcs = list(yaml.safe_load_all(f.read()))
         for src in srcs:
             if isinstance(src, str):
                 assert len(srcs) == 1

tools/buildgen/build_cleaner.py

@@ -88,7 +88,7 @@ def cleaned_build_yaml_dict_as_string(indict):
 if __name__ == '__main__':
     for filename in sys.argv[1:]:
         with open(filename) as f:
-            js = yaml.load(f, Loader=yaml.FullLoader)
+            js = yaml.safe_load(f)
         output = cleaned_build_yaml_dict_as_string(js)
         if TEST:
             with open(filename) as f:

tools/buildgen/generate_projects.py

@@ -72,7 +72,7 @@ def preprocess_build_files() -> _utils.Bunch:
     for build_file in args.build_files:
         with open(build_file, 'r') as f:
             _utils.merge_json(build_spec,
-                              yaml.load(f.read(), Loader=yaml.FullLoader))
+                              yaml.safe_load(f.read()))
     # Executes plugins. Plugins update the build spec in-place.
     for py_file in sorted(glob.glob('tools/buildgen/plugins/*.py')):
         plugin = _utils.import_python_module(py_file)

tools/codegen/core/gen_experiments.py

@@ -39,7 +39,7 @@ if sys.argv[1:] == ["--check"]:
     check_dates = False  # for formatting checks we don't verify expiry dates
 
 with open('src/core/lib/experiments/experiments.yaml') as f:
-    attrs = yaml.load(f.read(), Loader=yaml.FullLoader)
+    attrs = yaml.safe_load(f.read())
 
 DEFAULTS = {
     'broken': 'false',

tools/run_tests/run_tests.py

@@ -1072,7 +1072,7 @@ class Sanity(object):
                                      timeout_seconds=30 * 60,
                                      environ=environ,
                                      cpu_cost=cmd.get('cpu_cost', 1))
-                for cmd in yaml.load(f)
+                for cmd in yaml.safe_load(f)
             ]
 
     def pre_build_steps(self):

tools/run_tests/sanity/check_version.py

@@ -56,7 +56,7 @@ else:
     check_version = lambda version: True
 
 with open('build_handwritten.yaml', 'r') as f:
-    build_yaml = yaml.load(f.read())
+    build_yaml = yaml.safe_load(f.read())
 
 settings = build_yaml['settings']