Fix security vulnerabilities using Bandit

Tempest was using: -python module xml.etree[1], It was vulnerable to different atacks. Instead of xml.etree.ElementTree tempest is now using defusedxml.ElementTree which is more secure. [1] https://bandit.readthedocs.io/en/1.7.0/blacklists/blacklist_calls.html B313 Change-Id: I50a8ab3c3be2decccd7480ecf00f1a3e4a75f172
4 months ago · 76db176c7e
parent 4ff6f153b1
commit 76db176c7e
3 changed files with 3 additions and 2 deletions
--- a/requirements.txt
+++ b/requirements.txt
@ -21,3 +21,4 @@ stevedore>=1.20.0 # Apache-2.0
 PrettyTable>=0.7.1 # BSD
 urllib3>=1.21.1 # MIT
 debtcollector>=1.2.0 # Apache-2.0
+defusedxml>=0.7.1 # PSFL
--- a/tempest/lib/services/object_storage/account_client.py
+++ b/tempest/lib/services/object_storage/account_client.py
@ -14,8 +14,8 @@
 #    under the License.

 from urllib import parse as urllib
-from xml.etree import ElementTree as etree

+from defusedxml import ElementTree as etree
 from oslo_serialization import jsonutils as json

 from tempest.lib.common import rest_client
--- a/tempest/lib/services/object_storage/container_client.py
+++ b/tempest/lib/services/object_storage/container_client.py
@ -14,9 +14,9 @@
 #    under the License.

 from urllib import parse as urllib
-from xml.etree import ElementTree as etree

 import debtcollector.moves
+from defusedxml import ElementTree as etree
 from oslo_serialization import jsonutils as json

 from tempest.lib.common import rest_client