openstack
/
cinder
Code Issues Proposed changes

use defusedxml to avoid XML attack 

According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html

Using various XML methods to parse untrusted XML data is known to be vulnerable
to XML attacks. Methods should be replaced with their defusedxml equivalents.

Change-Id: Icdd807c8fd47ce0df3e292eef910e6e6e7610686
Partial-Bug: #1732155
This commit is contained in:
lijing 2017-11-14 18:59:29 +08:00 committed by Eric Harney
parent 015b105399
commit 2136215612
4 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cinder/volume/drivers/dell_emc/vmax/utils.py
View File

@ -15,10 +15,10 @@
from copy import deepcopy from copy import deepcopy
import datetime import datetime
from defusedxml import minidom
import hashlib import hashlib
import random import random
import re import re
from xml.dom import minidom
from cinder.objects.group import Group from cinder.objects.group import Group
from oslo_log import log as logging from oslo_log import log as logging

2
cinder/volume/drivers/huawei/huawei_conf.py
View File

@ -21,8 +21,8 @@ and set every property into Configuration object as an attribute.
""" """
import base64 import base64
from defusedxml import ElementTree as ET
import six import six
from xml.etree import ElementTree as ET
from oslo_log import log as logging from oslo_log import log as logging

6
cinder/volume/drivers/nec/volume_common.py
View File

@ -19,7 +19,7 @@ import os
import re import re
import traceback import traceback
from defusedxml import lxml as etree from defusedxml import lxml
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log as logging from oslo_log import log as logging
from oslo_utils import excutils from oslo_utils import excutils
@ -291,7 +291,7 @@ class MStorageVolumeCommon(object):
try: try:
with open(product, 'r') as f: with open(product, 'r') as f:
xml = f.read() xml = f.read()
root = etree.fromstring(xml) root = lxml.fromstring(xml)
vendor_name = root.xpath('./VendorName')[0].text vendor_name = root.xpath('./VendorName')[0].text
product_dict = {} product_dict = {}
@ -783,7 +783,7 @@ class MStorageVolumeCommon(object):
return hostports return hostports
def configs(self, xml): def configs(self, xml):
root = etree.fromstring(xml) root = lxml.fromstring(xml)
pools = self.get_pool_config(xml, root) pools = self.get_pool_config(xml, root)
lds, used_ldns = self.get_ld_config(xml, root, pools) lds, used_ldns = self.get_ld_config(xml, root, pools)
iscsi_ldsets = self.get_iscsi_ldset_config(xml, root) iscsi_ldsets = self.get_iscsi_ldset_config(xml, root)

4
cinder/volume/drivers/zadara.py
View File

@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
This driver requires VPSA with API version 15.07 or higher. This driver requires VPSA with API version 15.07 or higher.
""" """
from defusedxml import lxml as etree from defusedxml import lxml
from oslo_config import cfg from oslo_config import cfg
from oslo_log import log as logging from oslo_log import log as logging
from oslo_utils import strutils from oslo_utils import strutils
@ -270,7 +270,7 @@ class ZadaraVPSAConnection(object):
raise exception.BadHTTPResponseStatus(status=response.status_code) raise exception.BadHTTPResponseStatus(status=response.status_code)
data = response.content data = response.content
xml_tree = etree.fromstring(data) xml_tree = lxml.fromstring(data)
status = xml_tree.findtext('status') status = xml_tree.findtext('status')
if status != '0': if status != '0':
raise exception.FailedCmdWithDump(status=status, data=data) raise exception.FailedCmdWithDump(status=status, data=data)