summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Hua <john.hua@citrix.com>2016-06-08 11:23:32 +0800
committerJohn Hua <john.hua@citrix.com>2016-08-04 06:27:30 +0000
commit81210539bec2d87c3f102e8fd8a5529180911dda (patch)
treee02216617b1df0ac2800fefeecaf1d42665f26b3
parentc5c6eb5f878692d27aef832abc45be33aacdef7d (diff)
Fix potential security issues
Fix below potential security risks so can pass bandit test: * Any input should be quoted for subprocess call * Temp file should not use fixed name * Use yaml.safe_load to prevent arbitrary objects Change-Id: I71b4afb5805c8b1d7ead626f7fa2e15a687811fa Closes-Bug: 1590761 (cherry picked from commit 0fa17d68fc42a223aabe57a290bbe95780b9ae00)
Notes
Notes (review): Code-Review+2: Jianghua Wang <jianghua.wang@citrix.com> Workflow+1: Jianghua Wang <jianghua.wang@citrix.com> Verified+2: Jenkins Submitted-by: Jenkins Submitted-at: Thu, 04 Aug 2016 06:28:43 +0000 Reviewed-on: https://review.openstack.org/351014 Project: openstack/fuel-plugin-xenserver Branch: refs/heads/8.0
-rwxr-xr-xdeployment_scripts/compute_post_deployment.py25
-rw-r--r--metadata.yaml2
2 files changed, 13 insertions, 14 deletions
diff --git a/deployment_scripts/compute_post_deployment.py b/deployment_scripts/compute_post_deployment.py
index 0f47cb2..00c84e1 100755
--- a/deployment_scripts/compute_post_deployment.py
+++ b/deployment_scripts/compute_post_deployment.py
@@ -7,7 +7,7 @@ import os
7import re 7import re
8from socket import inet_ntoa 8from socket import inet_ntoa
9from struct import pack 9from struct import pack
10import subprocess 10import subprocess # nosec
11import sys 11import sys
12import stat 12import stat
13import yaml 13import yaml
@@ -47,7 +47,7 @@ def execute(*cmd, **kwargs):
47 else: 47 else:
48 env = None 48 env = None
49 logging.info(env_prefix + ' '.join(cmd)) 49 logging.info(env_prefix + ' '.join(cmd))
50 proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, 50 proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, # nosec
51 stderr=subprocess.PIPE, env=env) 51 stderr=subprocess.PIPE, env=env)
52 52
53 if 'prompt' in kwargs: 53 if 'prompt' in kwargs:
@@ -117,7 +117,7 @@ def get_astute(astute_path):
117 if not os.path.exists(astute_path): 117 if not os.path.exists(astute_path):
118 reportError('%s not found' % astute_path) 118 reportError('%s not found' % astute_path)
119 119
120 astute = yaml.load(open(astute_path)) 120 astute = yaml.safe_load(open(astute_path))
121 return astute 121 return astute
122 122
123 123
@@ -281,13 +281,13 @@ def route_to_compute(endpoints, himn_xs, himn_local, username):
281 ip, cidr = endpoint.split('/') 281 ip, cidr = endpoint.split('/')
282 net, mask = _net(ip), _mask(cidr) 282 net, mask = _net(ip), _mask(cidr)
283 if not _routed(net, mask, himn_local): 283 if not _routed(net, mask, himn_local):
284 params = ['route', 'add', '-net', net, 'netmask', 284 params = ['route', 'add', '-net', '"%s"' % net, 'netmask',
285 mask, 'gw', himn_local] 285 '"%s"' % mask, 'gw', himn_local]
286 ssh(himn_xs, username, *params) 286 ssh(himn_xs, username, *params)
287 # Always add the route to the udev, even if it's currently active 287 # Always add the route to the udev, even if it's currently active
288 cmd = ( 288 cmd = (
289 "printf 'if !(/sbin/route -n | /bin/grep -q -F {net}); then\n" 289 "printf 'if !(/sbin/route -n | /bin/grep -q -F \"{net}\"); then\n"
290 "/sbin/route add -net {net} netmask {mask} gw {himn_local};\n" 290 "/sbin/route add -net \"{net}\" netmask \"{mask}\" gw {himn_local};\n"
291 "fi\n' >> /etc/udev/scripts/reroute.sh" 291 "fi\n' >> /etc/udev/scripts/reroute.sh"
292 ) 292 )
293 cmd = cmd.format(net=net, mask=mask, himn_local=himn_local) 293 cmd = cmd.format(net=net, mask=mask, himn_local=himn_local)
@@ -302,12 +302,11 @@ def route_to_compute(endpoints, himn_xs, himn_local, username):
302 302
303def install_suppack(himn, username): 303def install_suppack(himn, username):
304 """Install xapi driver supplemental pack. """ 304 """Install xapi driver supplemental pack. """
305 # TODO(Johnhua): check if installed 305 tmp = ssh(himn, username, 'mktemp', '-d')
306 scp(himn, username, '/tmp/', XS_PLUGIN_ISO) 306 scp(himn, username, tmp, XS_PLUGIN_ISO)
307 ssh( 307 ssh(himn, username, 'xe-install-supplemental-pack', tmp + '/' + XS_PLUGIN_ISO,
308 himn, username, 'xe-install-supplemental-pack', 308 prompt='Y\n')
309 '/tmp/%s' % XS_PLUGIN_ISO, prompt='Y\n') 309 ssh(himn, username, 'rm', tmp, '-rf')
310 ssh(himn, username, 'rm', '/tmp/%s' % XS_PLUGIN_ISO)
311 310
312 311
313def forward_from_himn(eth): 312def forward_from_himn(eth):
diff --git a/metadata.yaml b/metadata.yaml
index 1e3780f..6cb1a1b 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -3,7 +3,7 @@ name: fuel-plugin-xenserver
3# Human-readable name for your plugin 3# Human-readable name for your plugin
4title: XenServer Plugin 4title: XenServer Plugin
5# Plugin version 5# Plugin version
6version: '3.90.1' 6version: '3.90.2'
7# Description 7# Description
8description: Enable Mirantis OpenStack to integrate with Xenserver 8description: Enable Mirantis OpenStack to integrate with Xenserver
9# Required fuel version 9# Required fuel version