openstack
/
tempest
Code Issues Proposed changes

Fix security vulnerabilities using Bandit 

Tempest was using:
-python module xml.etree[1],

It was vulnerable to different atacks.

Instead of xml.etree.ElementTree tempest is now using
defusedxml.ElementTree which is more secure.

[1] https://bandit.readthedocs.io/en/1.7.0/blacklists/blacklist_calls.html B313

Change-Id: I50a8ab3c3be2decccd7480ecf00f1a3e4a75f172
This commit is contained in:
jskunda 2022-09-29 11:14:34 +00:00
parent 4ff6f153b1
commit 76db176c7e
3 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
requirements.txt
View File

@ -21,3 +21,4 @@ stevedore>=1.20.0 # Apache-2.0
PrettyTable>=0.7.1 # BSD PrettyTable>=0.7.1 # BSD
urllib3>=1.21.1 # MIT urllib3>=1.21.1 # MIT
debtcollector>=1.2.0 # Apache-2.0 debtcollector>=1.2.0 # Apache-2.0
defusedxml>=0.7.1 # PSFL

2
tempest/lib/services/object_storage/account_client.py
View File

@ -14,8 +14,8 @@
# under the License. # under the License.
from urllib import parse as urllib from urllib import parse as urllib
from xml.etree import ElementTree as etree
from defusedxml import ElementTree as etree
from oslo_serialization import jsonutils as json from oslo_serialization import jsonutils as json
from tempest.lib.common import rest_client from tempest.lib.common import rest_client

2
tempest/lib/services/object_storage/container_client.py
View File

@ -14,9 +14,9 @@
# under the License. # under the License.
from urllib import parse as urllib from urllib import parse as urllib
from xml.etree import ElementTree as etree
import debtcollector.moves import debtcollector.moves
from defusedxml import ElementTree as etree
from oslo_serialization import jsonutils as json from oslo_serialization import jsonutils as json
from tempest.lib.common import rest_client from tempest.lib.common import rest_client