Added to resolve Bandit: Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks.(DE893)

Change-Id: I4d04d2a219d61765f86ab45e8dbbb6d27a116687
2015-11-13 05:49:22 -08:00 · 2015-11-13 05:49:22 -08:00 · 92de847823
parent fe9a473d51
commit 92de847823
2 changed files with 8 additions and 6 deletions
--- a/cloudpulse/api/middleware/parsable_error.py
+++ b/cloudpulse/api/middleware/parsable_error.py
@ -18,8 +18,9 @@ response with one formatted so the client can parse it.
 Based on pecan.middleware.errordocument
 """

+from defusedxml import ElementTree
 import json
-from xml import etree as et
+# from xml import etree as et

 import webob

@ -69,11 +70,11 @@ class ParsableErrorMiddleware(object):
               == 'application/xml'):
                try:
                    # simple check xml is valid
-                    body = [et.ElementTree.tostring(
-                            et.ElementTree.fromstring('<error_message>'
-                                                      + '\n'.join(app_iter)
-                                                      + '</error_message>'))]
-                except et.ElementTree.ParseError as err:
+                    body = [ElementTree.tostring(
+                            ElementTree.fromstring('<error_message>'
+                                                   + '\n'.join(app_iter)
+                                                   + '</error_message>'))]
+                except ElementTree.ParseError as err:
                    LOG.error(_LE('Error parsing HTTP response: %s'), err)
                    body = ['<error_message>%s' % state['status_code']
                            + '</error_message>']
--- a/requirements.txt
+++ b/requirements.txt
@ -20,3 +20,4 @@ python-glanceclient>=0.15.0,<0.18.0
 python-neutronclient>=2.4.0,<2.5.0
 python-novaclient>=2.22.0,<2.24.0
 WSME>=0.6,<0.7
+defusedxml>=0.4.1