openstack/tempest
Code Issues Proposed changes

Fix security vulnerabilities using Bandit

Browse Source 
Tempest was using:
-python module xml.etree[1],

It was vulnerable to different atacks.

Instead of xml.etree.ElementTree tempest is now using
defusedxml.ElementTree which is more secure.

[1] https://bandit.readthedocs.io/en/1.7.0/blacklists/blacklist_calls.html B313

Change-Id: I50a8ab3c3be2decccd7480ecf00f1a3e4a75f172
This commit is contained in:
jskunda 2022-09-29 11:14:34 +00:00
parent 4ff6f153b1
commit 76db176c7e
3 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
requirements.txt
View File

@ -21,3 +21,4 @@ stevedore>=1.20.0 # Apache-2.0
PrettyTable>=0.7.1 # BSD
urllib3>=1.21.1 # MIT
debtcollector>=1.2.0 # Apache-2.0
defusedxml>=0.7.1 # PSFL

2
tempest/lib/services/object_storage/account_client.py
View File

@ -14,8 +14,8 @@
# under the License.
from urllib import parse as urllib
from xml.etree import ElementTree as etree
from defusedxml import ElementTree as etree
from oslo_serialization import jsonutils as json
from tempest.lib.common import rest_client

2
tempest/lib/services/object_storage/container_client.py
View File

@ -14,9 +14,9 @@
# under the License.
from urllib import parse as urllib
from xml.etree import ElementTree as etree
import debtcollector.moves
from defusedxml import ElementTree as etree
from oslo_serialization import jsonutils as json
from tempest.lib.common import rest_client