Use defusedxml for XML parsing
The built-in xml module has some vulnerabilities to several known XML attacks. While the chances of this are limited with the way it is being used by some of the volume drivers, it is still a security risk that has been identified and has a mostly painless way to be mitigated with the defusedxml package [1]. There are still some drivers performing XML parsing that are not covered by this patch. They need closer analysis to see how to best switch to the defusedxml equivalents. This patch covers the instances where it was a mostly drop in and replace from the native xml functionality to the defusedxml alternatives. [1] https://github.com/tiran/defusedxml/blob/master/README.md Change-Id: I083fc23eab6f712264919a250c6fb57cc0f6a11b Partial-bug: #1732155
This commit is contained in:
parent
4e51d33861
commit
4137c33922
|
@ -16,8 +16,7 @@
|
||||||
#
|
#
|
||||||
"""Unit tests for OpenStack Cinder DotHill driver."""
|
"""Unit tests for OpenStack Cinder DotHill driver."""
|
||||||
|
|
||||||
|
from defusedxml import lxml as etree
|
||||||
from lxml import etree
|
|
||||||
import mock
|
import mock
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
|
@ -205,7 +204,7 @@ class TestDotHillClient(test.TestCase):
|
||||||
RequestException("error")]
|
RequestException("error")]
|
||||||
mock_requests_get.return_value = m
|
mock_requests_get.return_value = m
|
||||||
ret = self.client._api_request('/path')
|
ret = self.client._api_request('/path')
|
||||||
self.assertTrue(type(ret) == etree._Element)
|
self.assertTrue(type(ret) == etree.RestrictedElement)
|
||||||
self.assertRaises(exception.DotHillConnectionError,
|
self.assertRaises(exception.DotHillConnectionError,
|
||||||
self.client._api_request,
|
self.client._api_request,
|
||||||
'/path')
|
'/path')
|
||||||
|
|
|
@ -14,14 +14,11 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
try:
|
|
||||||
import xml.etree.cElementTree as ET
|
|
||||||
except ImportError:
|
|
||||||
import xml.etree.ElementTree as ET
|
|
||||||
|
|
||||||
from ddt import data
|
from ddt import data
|
||||||
from ddt import ddt
|
from ddt import ddt
|
||||||
from ddt import unpack
|
from ddt import unpack
|
||||||
|
from defusedxml import cElementTree as ET
|
||||||
import eventlet
|
import eventlet
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
|
|
@ -19,7 +19,7 @@ import hashlib
|
||||||
import math
|
import math
|
||||||
import time
|
import time
|
||||||
|
|
||||||
from lxml import etree
|
from defusedxml import lxml as etree
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import strutils
|
from oslo_utils import strutils
|
||||||
from oslo_utils import units
|
from oslo_utils import units
|
||||||
|
|
|
@ -22,18 +22,19 @@ Cinder Volume driver for Fujitsu ETERNUS DX S3 series.
|
||||||
import ast
|
import ast
|
||||||
import base64
|
import base64
|
||||||
import hashlib
|
import hashlib
|
||||||
import six
|
|
||||||
import time
|
import time
|
||||||
from xml.etree.ElementTree import parse
|
|
||||||
|
|
||||||
from cinder import exception
|
from defusedxml import ElementTree as ET
|
||||||
from cinder.i18n import _
|
|
||||||
from cinder.volume import configuration as conf
|
|
||||||
from oslo_concurrency import lockutils
|
from oslo_concurrency import lockutils
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_service import loopingcall
|
from oslo_service import loopingcall
|
||||||
from oslo_utils import units
|
from oslo_utils import units
|
||||||
|
import six
|
||||||
|
|
||||||
|
from cinder import exception
|
||||||
|
from cinder.i18n import _
|
||||||
|
from cinder.volume import configuration as conf
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
|
@ -1099,7 +1100,7 @@ class FJDXCommon(object):
|
||||||
LOG.debug("_get_drvcfg, input[%(filename)s][%(tagname)s].",
|
LOG.debug("_get_drvcfg, input[%(filename)s][%(tagname)s].",
|
||||||
{'filename': filename, 'tagname': tagname})
|
{'filename': filename, 'tagname': tagname})
|
||||||
|
|
||||||
tree = parse(filename)
|
tree = ET.parse(filename)
|
||||||
elem = tree.getroot()
|
elem = tree.getroot()
|
||||||
|
|
||||||
ret = None
|
ret = None
|
||||||
|
|
|
@ -15,11 +15,11 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
import errno
|
import errno
|
||||||
from lxml import etree
|
|
||||||
import os
|
import os
|
||||||
import re
|
import re
|
||||||
import traceback
|
import traceback
|
||||||
|
|
||||||
|
from defusedxml import lxml as etree
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import excutils
|
from oslo_utils import excutils
|
||||||
|
|
|
@ -23,11 +23,8 @@ import re
|
||||||
import ssl
|
import ssl
|
||||||
import threading
|
import threading
|
||||||
import time
|
import time
|
||||||
try:
|
|
||||||
import xml.etree.cElementTree as ET
|
|
||||||
except ImportError:
|
|
||||||
import xml.etree.ElementTree as ET
|
|
||||||
|
|
||||||
|
from defusedxml import cElementTree as ET
|
||||||
from oslo_concurrency import lockutils
|
from oslo_concurrency import lockutils
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
|
|
|
@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
|
||||||
This driver requires VPSA with API version 15.07 or higher.
|
This driver requires VPSA with API version 15.07 or higher.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
from lxml import etree
|
from defusedxml import lxml as etree
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import strutils
|
from oslo_utils import strutils
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
||||||
Babel!=2.4.0,>=2.3.4 # BSD
|
Babel!=2.4.0,>=2.3.4 # BSD
|
||||||
decorator>=3.4.0 # BSD
|
decorator>=3.4.0 # BSD
|
||||||
|
defusedxml>=0.5.0 # PSF
|
||||||
enum34>=1.0.4;python_version=='2.7' or python_version=='2.6' or python_version=='3.3' # BSD
|
enum34>=1.0.4;python_version=='2.7' or python_version=='2.6' or python_version=='3.3' # BSD
|
||||||
eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
|
eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
|
||||||
greenlet>=0.4.10 # MIT
|
greenlet>=0.4.10 # MIT
|
||||||
|
|
Loading…
Reference in New Issue