use defusedxml to avoid XML attack
According to https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Methods should be replaced with their defusedxml equivalents. Change-Id: Icdd807c8fd47ce0df3e292eef910e6e6e7610686 Partial-Bug: #1732155
This commit is contained in:
parent
015b105399
commit
2136215612
|
@ -15,10 +15,10 @@
|
|||
|
||||
from copy import deepcopy
|
||||
import datetime
|
||||
from defusedxml import minidom
|
||||
import hashlib
|
||||
import random
|
||||
import re
|
||||
from xml.dom import minidom
|
||||
|
||||
from cinder.objects.group import Group
|
||||
from oslo_log import log as logging
|
||||
|
|
|
@ -21,8 +21,8 @@ and set every property into Configuration object as an attribute.
|
|||
"""
|
||||
|
||||
import base64
|
||||
from defusedxml import ElementTree as ET
|
||||
import six
|
||||
from xml.etree import ElementTree as ET
|
||||
|
||||
from oslo_log import log as logging
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ import os
|
|||
import re
|
||||
import traceback
|
||||
|
||||
from defusedxml import lxml as etree
|
||||
from defusedxml import lxml
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils import excutils
|
||||
|
@ -291,7 +291,7 @@ class MStorageVolumeCommon(object):
|
|||
try:
|
||||
with open(product, 'r') as f:
|
||||
xml = f.read()
|
||||
root = etree.fromstring(xml)
|
||||
root = lxml.fromstring(xml)
|
||||
vendor_name = root.xpath('./VendorName')[0].text
|
||||
|
||||
product_dict = {}
|
||||
|
@ -783,7 +783,7 @@ class MStorageVolumeCommon(object):
|
|||
return hostports
|
||||
|
||||
def configs(self, xml):
|
||||
root = etree.fromstring(xml)
|
||||
root = lxml.fromstring(xml)
|
||||
pools = self.get_pool_config(xml, root)
|
||||
lds, used_ldns = self.get_ld_config(xml, root, pools)
|
||||
iscsi_ldsets = self.get_iscsi_ldset_config(xml, root)
|
||||
|
|
|
@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
|
|||
This driver requires VPSA with API version 15.07 or higher.
|
||||
"""
|
||||
|
||||
from defusedxml import lxml as etree
|
||||
from defusedxml import lxml
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils import strutils
|
||||
|
@ -270,7 +270,7 @@ class ZadaraVPSAConnection(object):
|
|||
raise exception.BadHTTPResponseStatus(status=response.status_code)
|
||||
|
||||
data = response.content
|
||||
xml_tree = etree.fromstring(data)
|
||||
xml_tree = lxml.fromstring(data)
|
||||
status = xml_tree.findtext('status')
|
||||
if status != '0':
|
||||
raise exception.FailedCmdWithDump(status=status, data=data)
|
||||
|
|
Loading…
Reference in New Issue