Use defusedxml for XML parsing

The built-in xml module has some vulnerabilities to several known XML attacks. While the chances of this are limited with the way it is being used by some of the volume drivers, it is still a security risk that has been identified and has a mostly painless way to be mitigated with the defusedxml package [1]. There are still some drivers performing XML parsing that are not covered by this patch. They need closer analysis to see how to best switch to the defusedxml equivalents. This patch covers the instances where it was a mostly drop in and replace from the native xml functionality to the defusedxml alternatives. [1] https://github.com/tiran/defusedxml/blob/master/README.md Change-Id: I083fc23eab6f712264919a250c6fb57cc0f6a11b Partial-bug: #1732155
2017-12-16 17:38:41 -06:00 · 2017-12-16 17:38:41 -06:00 · 4137c33922
parent 4e51d33861
commit 4137c33922
8 changed files with 15 additions and 20 deletions
--- a/cinder/tests/unit/volume/drivers/test_dothill.py
+++ b/cinder/tests/unit/volume/drivers/test_dothill.py
@ -16,8 +16,7 @@
 #
 """Unit tests for OpenStack Cinder DotHill driver."""

-
-from lxml import etree
+from defusedxml import lxml as etree
 import mock
 import requests

@ -205,7 +204,7 @@ class TestDotHillClient(test.TestCase):
                                     RequestException("error")]
        mock_requests_get.return_value = m
        ret = self.client._api_request('/path')
-        self.assertTrue(type(ret) == etree._Element)
+        self.assertTrue(type(ret) == etree.RestrictedElement)
        self.assertRaises(exception.DotHillConnectionError,
                          self.client._api_request,
                          '/path')
--- a/cinder/tests/unit/volume/drivers/test_qnap.py
+++ b/cinder/tests/unit/volume/drivers/test_qnap.py
@ -14,14 +14,11 @@
 #    under the License.

 import base64
-try:
-    import xml.etree.cElementTree as ET
-except ImportError:
-    import xml.etree.ElementTree as ET

 from ddt import data
 from ddt import ddt
 from ddt import unpack
+from defusedxml import cElementTree as ET
 import eventlet
 import mock
 from oslo_config import cfg
--- a/cinder/volume/drivers/dothill/dothill_client.py
+++ b/cinder/volume/drivers/dothill/dothill_client.py
@ -19,7 +19,7 @@ import hashlib
 import math
 import time

-from lxml import etree
+from defusedxml import lxml as etree
 from oslo_log import log as logging
 from oslo_utils import strutils
 from oslo_utils import units
--- a/cinder/volume/drivers/fujitsu/eternus_dx_common.py
+++ b/cinder/volume/drivers/fujitsu/eternus_dx_common.py
@ -22,18 +22,19 @@ Cinder Volume driver for Fujitsu ETERNUS DX S3 series.
 import ast
 import base64
 import hashlib
-import six
 import time
-from xml.etree.ElementTree import parse

-from cinder import exception
-from cinder.i18n import _
-from cinder.volume import configuration as conf
+from defusedxml import ElementTree as ET
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_service import loopingcall
 from oslo_utils import units
+import six
+
+from cinder import exception
+from cinder.i18n import _
+from cinder.volume import configuration as conf

 LOG = logging.getLogger(__name__)
 CONF = cfg.CONF
@ -1099,7 +1100,7 @@ class FJDXCommon(object):
        LOG.debug("_get_drvcfg, input[%(filename)s][%(tagname)s].",
                  {'filename': filename, 'tagname': tagname})

-        tree = parse(filename)
+        tree = ET.parse(filename)
        elem = tree.getroot()

        ret = None
--- a/cinder/volume/drivers/nec/volume_common.py
+++ b/cinder/volume/drivers/nec/volume_common.py
@ -15,11 +15,11 @@
 #    under the License.

 import errno
-from lxml import etree
 import os
 import re
 import traceback

+from defusedxml import lxml as etree
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import excutils
--- a/cinder/volume/drivers/qnap.py
+++ b/cinder/volume/drivers/qnap.py
@ -23,11 +23,8 @@ import re
 import ssl
 import threading
 import time
-try:
-    import xml.etree.cElementTree as ET
-except ImportError:
-    import xml.etree.ElementTree as ET

+from defusedxml import cElementTree as ET
 from oslo_concurrency import lockutils
 from oslo_config import cfg
 from oslo_log import log as logging
--- a/cinder/volume/drivers/zadara.py
+++ b/cinder/volume/drivers/zadara.py
@ -18,7 +18,7 @@ Volume driver for Zadara Virtual Private Storage Array (VPSA).
 This driver requires VPSA with API version 15.07 or higher.
 """

-from lxml import etree
+from defusedxml import lxml as etree
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import strutils
--- a/requirements.txt
+++ b/requirements.txt
@ -5,6 +5,7 @@
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 Babel!=2.4.0,>=2.3.4 # BSD
 decorator>=3.4.0 # BSD
+defusedxml>=0.5.0  # PSF
 enum34>=1.0.4;python_version=='2.7' or python_version=='2.6' or python_version=='3.3' # BSD
 eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
 greenlet>=0.4.10 # MIT