x
/
python-scciclient
Code Issues Proposed changes

Use defusedxml instead of standard xml 

Because XML handling modules in xml Python standard library
are vulnerable[1], we should use defusedxml[2] for parsing XML.

[1] https://docs.python.org/3/library/xml.html#xml-vulnerabilities
[2] https://pypi.org/project/defusedxml/

Change-Id: I8ff057ee64c04c4cd5c92abf3e31b52c6225ed76
This commit is contained in:
vanou 2021-12-28 10:16:00 +09:00
parent 8bf25f738d
commit 8e527de430
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
requirements.txt
View File

@ -6,6 +6,7 @@ Babel!=2.4.0,>=2.3.4 # BSD
pyghmi>=1.0.24 # Apache-2.0 pyghmi>=1.0.24 # Apache-2.0
pysnmp>=4.2.3 # BSD pysnmp>=4.2.3 # BSD
requests>=2.14.2 # Apache-2.0 requests>=2.14.2 # Apache-2.0
defusedxml>=0.7.0 # PSF
six>=1.10.0 # MIT six>=1.10.0 # MIT
oslo.utils>=3.33.0 # Apache-2.0 oslo.utils>=3.33.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0

4
scciclient/irmc/scci.py
View File

@ -18,8 +18,8 @@ SCCI functionalities shared between different iRMC modules.
import functools import functools
import time import time
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET
import requests import requests
import six import six
@ -487,7 +487,6 @@ def get_sensor_data_records(report):
""" """
sensor = report.find("./System/SensorDataRecords") sensor = report.find("./System/SensorDataRecords")
# ET.dump(sensor[0])
return sensor return sensor
@ -500,7 +499,6 @@ def get_irmc_version(report):
""" """
version = report.find("./System/ManagementControllers/iRMC") version = report.find("./System/ManagementControllers/iRMC")
# ET.dump(version[0])
return version return version

5
scciclient/tests/irmc/test_scci.py
View File

@ -19,6 +19,7 @@ import os
import time import time
import xml.etree.ElementTree as ET import xml.etree.ElementTree as ET
import defusedxml.ElementTree as dET
import mock import mock
from requests_mock.contrib import fixture as rm_fixture from requests_mock.contrib import fixture as rm_fixture
import six import six
@ -49,13 +50,13 @@ class SCCITestCase(testtools.TestCase):
os.path.dirname(__file__), os.path.dirname(__file__),
'fixtures/irmc_report_ok.xml'), "r") as report_ok: 'fixtures/irmc_report_ok.xml'), "r") as report_ok:
self.report_ok_txt = report_ok.read() self.report_ok_txt = report_ok.read()
self.report_ok_xml = ET.fromstring(self.report_ok_txt) self.report_ok_xml = dET.fromstring(self.report_ok_txt)
with open(os.path.join( with open(os.path.join(
os.path.dirname(__file__), os.path.dirname(__file__),
'fixtures/irmc_report_ng.xml'), "r") as report_ng: 'fixtures/irmc_report_ng.xml'), "r") as report_ng:
self.report_ng_txt = report_ng.read() self.report_ng_txt = report_ng.read()
self.report_ng_xml = ET.fromstring(self.report_ng_txt) self.report_ng_xml = dET.fromstring(self.report_ng_txt)
self.irmc_address = '10.124.196.159' self.irmc_address = '10.124.196.159'
self.irmc_username = 'admin' self.irmc_username = 'admin'