use defusedxml to avoid XML attack
According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. Change-Id: Icdd807c8fd47ce0df3e292eef910e6e6e7610686 Partial-Bug: #1732155
This commit is contained in:
parent
015b105399
commit
2136215612
|
@ -15,10 +15,10 @@
|
||||||
|
|
||||||
from copy import deepcopy
|
from copy import deepcopy
|
||||||
import datetime
|
import datetime
|
||||||
|
from defusedxml import minidom
|
||||||
import hashlib
|
import hashlib
|
||||||
import random
|
import random
|
||||||
import re
|
import re
|
||||||
from xml.dom import minidom
|
|
||||||
|
|
||||||
from cinder.objects.group import Group
|
from cinder.objects.group import Group
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
|
|
|
@ -21,8 +21,8 @@ and set every property into Configuration object as an attribute.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
|
from defusedxml import ElementTree as ET
|
||||||
import six
|
import six
|
||||||
from xml.etree import ElementTree as ET
|
|
||||||
|
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,7 @@ import os
|
||||||
import re
|
import re
|
||||||
import traceback
|
import traceback
|
||||||
|
|
||||||
from defusedxml import lxml as etree
|
from defusedxml import lxml
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import excutils
|
from oslo_utils import excutils
|
||||||
|
@ -291,7 +291,7 @@ class MStorageVolumeCommon(object):
|
||||||
try:
|
try:
|
||||||
with open(product, 'r') as f:
|
with open(product, 'r') as f:
|
||||||
xml = f.read()
|
xml = f.read()
|
||||||
root = etree.fromstring(xml)
|
root = lxml.fromstring(xml)
|
||||||
vendor_name = root.xpath('./VendorName')[0].text
|
vendor_name = root.xpath('./VendorName')[0].text
|
||||||
|
|
||||||
product_dict = {}
|
product_dict = {}
|
||||||
|
@ -783,7 +783,7 @@ class MStorageVolumeCommon(object):
|
||||||
return hostports
|
return hostports
|
||||||
|
|
||||||
def configs(self, xml):
|
def configs(self, xml):
|
||||||
root = etree.fromstring(xml)
|
root = lxml.fromstring(xml)
|
||||||
pools = self.get_pool_config(xml, root)
|
pools = self.get_pool_config(xml, root)
|
||||||
lds, used_ldns = self.get_ld_config(xml, root, pools)
|
lds, used_ldns = self.get_ld_config(xml, root, pools)
|
||||||
iscsi_ldsets = self.get_iscsi_ldset_config(xml, root)
|
iscsi_ldsets = self.get_iscsi_ldset_config(xml, root)
|
||||||
|
|
|
@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
|
||||||
This driver requires VPSA with API version 15.07 or higher.
|
This driver requires VPSA with API version 15.07 or higher.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from defusedxml import lxml as etree
|
from defusedxml import lxml
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import strutils
|
from oslo_utils import strutils
|
||||||
|
@ -270,7 +270,7 @@ class ZadaraVPSAConnection(object):
|
||||||
raise exception.BadHTTPResponseStatus(status=response.status_code)
|
raise exception.BadHTTPResponseStatus(status=response.status_code)
|
||||||
|
|
||||||
data = response.content
|
data = response.content
|
||||||
xml_tree = etree.fromstring(data)
|
xml_tree = lxml.fromstring(data)
|
||||||
status = xml_tree.findtext('status')
|
status = xml_tree.findtext('status')
|
||||||
if status != '0':
|
if status != '0':
|
||||||
raise exception.FailedCmdWithDump(status=status, data=data)
|
raise exception.FailedCmdWithDump(status=status, data=data)
|
||||||
|
|
Loading…
Reference in New Issue