Browse Source

Use defusedxml instead of standard xml

Because XML handling modules in xml Python standard library
are vulnerable[1], we should use defusedxml[2] for parsing XML.

[1] https://docs.python.org/3/library/xml.html#xml-vulnerabilities
[2] https://pypi.org/project/defusedxml/

Change-Id: I8ff057ee64c04c4cd5c92abf3e31b52c6225ed76
changes/29/823029/5
vanou 6 months ago
parent
commit
8e527de430
  1. 1
      requirements.txt
  2. 4
      scciclient/irmc/scci.py
  3. 5
      scciclient/tests/irmc/test_scci.py

1
requirements.txt

@ -6,6 +6,7 @@ Babel!=2.4.0,>=2.3.4 # BSD
pyghmi>=1.0.24 # Apache-2.0
pysnmp>=4.2.3 # BSD
requests>=2.14.2 # Apache-2.0
defusedxml>=0.7.0 # PSF
six>=1.10.0 # MIT
oslo.utils>=3.33.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0

4
scciclient/irmc/scci.py

@ -18,8 +18,8 @@ SCCI functionalities shared between different iRMC modules.
import functools
import time
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET
import requests
import six
@ -487,7 +487,6 @@ def get_sensor_data_records(report):
"""
sensor = report.find("./System/SensorDataRecords")
# ET.dump(sensor[0])
return sensor
@ -500,7 +499,6 @@ def get_irmc_version(report):
"""
version = report.find("./System/ManagementControllers/iRMC")
# ET.dump(version[0])
return version

5
scciclient/tests/irmc/test_scci.py

@ -19,6 +19,7 @@ import os
import time
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as dET
import mock
from requests_mock.contrib import fixture as rm_fixture
import six
@ -49,13 +50,13 @@ class SCCITestCase(testtools.TestCase):
os.path.dirname(__file__),
'fixtures/irmc_report_ok.xml'), "r") as report_ok:
self.report_ok_txt = report_ok.read()
self.report_ok_xml = ET.fromstring(self.report_ok_txt)
self.report_ok_xml = dET.fromstring(self.report_ok_txt)
with open(os.path.join(
os.path.dirname(__file__),
'fixtures/irmc_report_ng.xml'), "r") as report_ng:
self.report_ng_txt = report_ng.read()
self.report_ng_xml = ET.fromstring(self.report_ng_txt)
self.report_ng_xml = dET.fromstring(self.report_ng_txt)
self.irmc_address = '10.124.196.159'
self.irmc_username = 'admin'

Loading…
Cancel
Save