Use defusedxml for XML parsing

The built-in xml module has some vulnerabilities to several known
XML attacks. While the chances of this are limited with the way
it is being used by some of the volume drivers, it is still a
security risk that has been identified and has a mostly painless
way to be mitigated with the defusedxml package [1].

There are still some drivers performing XML parsing that are not
covered by this patch. They need closer analysis to see how to
best switch to the defusedxml equivalents.

This patch covers the instances where it was a mostly drop in and
replace from the native xml functionality to the defusedxml
alternatives.

[1] https://github.com/tiran/defusedxml/blob/master/README.md

Change-Id: I083fc23eab6f712264919a250c6fb57cc0f6a11b
Partial-bug: #1732155

cinder/tests/unit/volume/drivers/test_dothill.py

@@ -16,8 +16,7 @@
 #
 """Unit tests for OpenStack Cinder DotHill driver."""
 
-
+from defusedxml import lxml as etree
-from lxml import etree
 import mock
 import requests
 
@@ -205,7 +204,7 @@ class TestDotHillClient(test.TestCase):
                                      RequestException("error")]
         mock_requests_get.return_value = m
         ret = self.client._api_request('/path')
-        self.assertTrue(type(ret) == etree._Element)
+        self.assertTrue(type(ret) == etree.RestrictedElement)
         self.assertRaises(exception.DotHillConnectionError,
                           self.client._api_request,
                           '/path')

cinder/tests/unit/volume/drivers/test_qnap.py

@@ -14,14 +14,11 @@
 #    under the License.
 
 import base64
-try:
-    import xml.etree.cElementTree as ET
-except ImportError:
-    import xml.etree.ElementTree as ET
 
 from ddt import data
 from ddt import ddt
 from ddt import unpack
+from defusedxml import cElementTree as ET
 import eventlet
 import mock
 from oslo_config import cfg

cinder/volume/drivers/dothill/dothill_client.py

@@ -19,7 +19,7 @@ import hashlib
 import math
 import time
 
-from lxml import etree
+from defusedxml import lxml as etree
 from oslo_log import log as logging
 from oslo_utils import strutils
 from oslo_utils import units

cinder/volume/drivers/fujitsu/eternus_dx_common.py

@@ -22,18 +22,19 @@ Cinder Volume driver for Fujitsu ETERNUS DX S3 series.
 import ast
 import base64
 import hashlib
-import six
 import time
-from xml.etree.ElementTree import parse
 
-from cinder import exception
+from defusedxml import ElementTree as ET
-from cinder.i18n import _
-from cinder.volume import configuration as conf
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_service import loopingcall
 from oslo_utils import units
+import six
+
+from cinder import exception
+from cinder.i18n import _
+from cinder.volume import configuration as conf
 
 LOG = logging.getLogger(__name__)
 CONF = cfg.CONF
@@ -1099,7 +1100,7 @@ class FJDXCommon(object):
         LOG.debug("_get_drvcfg, input[%(filename)s][%(tagname)s].",
                   {'filename': filename, 'tagname': tagname})
 
-        tree = parse(filename)
+        tree = ET.parse(filename)
         elem = tree.getroot()
 
         ret = None

cinder/volume/drivers/nec/volume_common.py

@@ -15,11 +15,11 @@
 #    under the License.
 
 import errno
-from lxml import etree
 import os
 import re
 import traceback
 
+from defusedxml import lxml as etree
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import excutils

cinder/volume/drivers/qnap.py

@@ -23,11 +23,8 @@ import re
 import ssl
 import threading
 import time
-try:
-    import xml.etree.cElementTree as ET
-except ImportError:
-    import xml.etree.ElementTree as ET
 
+from defusedxml import cElementTree as ET
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log as logging

cinder/volume/drivers/zadara.py

@@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
 This driver requires VPSA with API version 15.07 or higher.
 """
 
-from lxml import etree
+from defusedxml import lxml as etree
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import strutils

requirements.txt

@@ -5,6 +5,7 @@
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 Babel!=2.4.0,>=2.3.4 # BSD
 decorator>=3.4.0 # BSD
+defusedxml>=0.5.0  # PSF
 enum34>=1.0.4;python_version=='2.7' or python_version=='2.6' or python_version=='3.3' # BSD
 eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
 greenlet>=0.4.10 # MIT