From 21362156125cadc0cddbffdc911d15a29c949902 Mon Sep 17 00:00:00 2001 From: lijing Date: Tue, 14 Nov 2017 18:59:29 +0800 Subject: [PATCH] use defusedxml to avoid XML attack According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. Change-Id: Icdd807c8fd47ce0df3e292eef910e6e6e7610686 Partial-Bug: #1732155 --- cinder/volume/drivers/dell_emc/vmax/utils.py | 2 +- cinder/volume/drivers/huawei/huawei_conf.py | 2 +- cinder/volume/drivers/nec/volume_common.py | 6 +++--- cinder/volume/drivers/zadara.py | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cinder/volume/drivers/dell_emc/vmax/utils.py b/cinder/volume/drivers/dell_emc/vmax/utils.py index 43324bece70..dc4f1a4757a 100644 --- a/cinder/volume/drivers/dell_emc/vmax/utils.py +++ b/cinder/volume/drivers/dell_emc/vmax/utils.py @@ -15,10 +15,10 @@ from copy import deepcopy import datetime +from defusedxml import minidom import hashlib import random import re -from xml.dom import minidom from cinder.objects.group import Group from oslo_log import log as logging diff --git a/cinder/volume/drivers/huawei/huawei_conf.py b/cinder/volume/drivers/huawei/huawei_conf.py index 4f8032af23c..dfeb4a29527 100644 --- a/cinder/volume/drivers/huawei/huawei_conf.py +++ b/cinder/volume/drivers/huawei/huawei_conf.py @@ -21,8 +21,8 @@ and set every property into Configuration object as an attribute. """ import base64 +from defusedxml import ElementTree as ET import six -from xml.etree import ElementTree as ET from oslo_log import log as logging diff --git a/cinder/volume/drivers/nec/volume_common.py b/cinder/volume/drivers/nec/volume_common.py index d834274caea..73bccc98228 100644 --- a/cinder/volume/drivers/nec/volume_common.py +++ b/cinder/volume/drivers/nec/volume_common.py @@ -19,7 +19,7 @@ import os import re import traceback -from defusedxml import lxml as etree +from defusedxml import lxml from oslo_config import cfg from oslo_log import log as logging from oslo_utils import excutils @@ -291,7 +291,7 @@ class MStorageVolumeCommon(object): try: with open(product, 'r') as f: xml = f.read() - root = etree.fromstring(xml) + root = lxml.fromstring(xml) vendor_name = root.xpath('./VendorName')[0].text product_dict = {} @@ -783,7 +783,7 @@ class MStorageVolumeCommon(object): return hostports def configs(self, xml): - root = etree.fromstring(xml) + root = lxml.fromstring(xml) pools = self.get_pool_config(xml, root) lds, used_ldns = self.get_ld_config(xml, root, pools) iscsi_ldsets = self.get_iscsi_ldset_config(xml, root) diff --git a/cinder/volume/drivers/zadara.py b/cinder/volume/drivers/zadara.py index 1199f7f9964..68184957241 100644 --- a/cinder/volume/drivers/zadara.py +++ b/cinder/volume/drivers/zadara.py @@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA). This driver requires VPSA with API version 15.07 or higher. """ -from defusedxml import lxml as etree +from defusedxml import lxml from oslo_config import cfg from oslo_log import log as logging from oslo_utils import strutils @@ -270,7 +270,7 @@ class ZadaraVPSAConnection(object): raise exception.BadHTTPResponseStatus(status=response.status_code) data = response.content - xml_tree = etree.fromstring(data) + xml_tree = lxml.fromstring(data) status = xml_tree.findtext('status') if status != '0': raise exception.FailedCmdWithDump(status=status, data=data)