use defusedxml to avoid XML attack

According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. Change-Id: Icdd807c8fd47ce0df3e292eef910e6e6e7610686 Partial-Bug: #1732155
2017-11-14 18:59:29 +08:00 · 2017-11-14 18:59:29 +08:00 · 2136215612
parent 015b105399
commit 2136215612
4 changed files with 7 additions and 7 deletions
--- a/cinder/volume/drivers/dell_emc/vmax/utils.py
+++ b/cinder/volume/drivers/dell_emc/vmax/utils.py
@ -15,10 +15,10 @@

 from copy import deepcopy
 import datetime
+from defusedxml import minidom
 import hashlib
 import random
 import re
-from xml.dom import minidom

 from cinder.objects.group import Group
 from oslo_log import log as logging
--- a/cinder/volume/drivers/huawei/huawei_conf.py
+++ b/cinder/volume/drivers/huawei/huawei_conf.py
@ -21,8 +21,8 @@ and set every property into Configuration object as an attribute.
 """

 import base64
+from defusedxml import ElementTree as ET
 import six
-from xml.etree import ElementTree as ET

 from oslo_log import log as logging

--- a/cinder/volume/drivers/nec/volume_common.py
+++ b/cinder/volume/drivers/nec/volume_common.py
@ -19,7 +19,7 @@ import os
 import re
 import traceback

-from defusedxml import lxml as etree
+from defusedxml import lxml
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import excutils
@ -291,7 +291,7 @@ class MStorageVolumeCommon(object):
        try:
            with open(product, 'r') as f:
                xml = f.read()
-                root = etree.fromstring(xml)
+                root = lxml.fromstring(xml)
                vendor_name = root.xpath('./VendorName')[0].text

                product_dict = {}
@ -783,7 +783,7 @@ class MStorageVolumeCommon(object):
        return hostports

    def configs(self, xml):
-        root = etree.fromstring(xml)
+        root = lxml.fromstring(xml)
        pools = self.get_pool_config(xml, root)
        lds, used_ldns = self.get_ld_config(xml, root, pools)
        iscsi_ldsets = self.get_iscsi_ldset_config(xml, root)
--- a/cinder/volume/drivers/zadara.py
+++ b/cinder/volume/drivers/zadara.py
@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
 This driver requires VPSA with API version 15.07 or higher.
 """

-from defusedxml import lxml as etree
+from defusedxml import lxml
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import strutils
@ -270,7 +270,7 @@ class ZadaraVPSAConnection(object):
            raise exception.BadHTTPResponseStatus(status=response.status_code)

        data = response.content
-        xml_tree = etree.fromstring(data)
+        xml_tree = lxml.fromstring(data)
        status = xml_tree.findtext('status')
        if status != '0':
            raise exception.FailedCmdWithDump(status=status, data=data)