From cb31307adf268059b3868f375b9aecadb8b643c5 Mon Sep 17 00:00:00 2001
From: Ubuntu <skylar.markegard@ndsu.edu>
Date: Tue, 26 Mar 2024 17:36:06 +0000
Subject: [PATCH] Replaces Huawei driver XML with defusedxml

Replaces Huawei driver's use of Python's
native XML library methods with defusedxml's
methods instead. The native library is vulnerable
to XML attacks while defusedxml isn't. This also
makes Bandit 3 issues happier.

Change-Id: I27d1204ec7dafd3b578d1261c3fd2e371ae405fb
---
 manila/share/drivers/huawei/huawei_nas.py            | 3 +--
 manila/share/drivers/huawei/v3/helper.py             | 2 +-
 manila/tests/share/drivers/huawei/test_huawei_nas.py | 2 +-
 requirements.txt                                     | 1 +
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/manila/share/drivers/huawei/huawei_nas.py b/manila/share/drivers/huawei/huawei_nas.py
index 9218fac7f8..85e232a205 100644
--- a/manila/share/drivers/huawei/huawei_nas.py
+++ b/manila/share/drivers/huawei/huawei_nas.py
@@ -14,8 +14,7 @@
 #    under the License.
 
 """Huawei Nas Driver for Huawei storage arrays."""
-from xml.etree import ElementTree as ET
-
+from defusedxml import ElementTree as ET
 from oslo_config import cfg
 from oslo_log import log
 from oslo_utils import importutils
diff --git a/manila/share/drivers/huawei/v3/helper.py b/manila/share/drivers/huawei/v3/helper.py
index 32a740415f..41a0e477aa 100644
--- a/manila/share/drivers/huawei/v3/helper.py
+++ b/manila/share/drivers/huawei/v3/helper.py
@@ -17,8 +17,8 @@ import base64
 import copy
 import requests
 import time
-from xml.etree import ElementTree as ET
 
+from defusedxml import ElementTree as ET
 from oslo_log import log
 from oslo_serialization import jsonutils
 
diff --git a/manila/tests/share/drivers/huawei/test_huawei_nas.py b/manila/tests/share/drivers/huawei/test_huawei_nas.py
index 7b8bcc9112..c53f27c18a 100644
--- a/manila/tests/share/drivers/huawei/test_huawei_nas.py
+++ b/manila/tests/share/drivers/huawei/test_huawei_nas.py
@@ -25,8 +25,8 @@ from unittest import mock
 import xml.dom.minidom
 
 import ddt
+from defusedxml import ElementTree as ET
 from oslo_serialization import jsonutils
-from xml.etree import ElementTree as ET
 
 from manila.common import constants as common_constants
 from manila import context
diff --git a/requirements.txt b/requirements.txt
index 8c7844a508..80a54ba0cf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,6 +10,7 @@
 pbr>=5.5.0 # Apache-2.0
 
 alembic>=1.4.2 # MIT
+defusedxml>=0.7.1 # PSFL
 eventlet>=0.26.1 # MIT
 greenlet>=0.4.16 # MIT
 lxml>=4.5.2 # BSD